From 4f552ffdb223895af7565854df2c335fa6392346 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 6 Feb 2023 18:06:50 +0000 Subject: [PATCH] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .curlrc | 2 +- .gnupg/gpg-agent.conf | 2 +- .gnupg/gpg.conf | 2 +- .vscode/PythonImportHelper-v2-Completion.json | 1136 +++--- .vscode/c_cpp_properties.json | 40 +- .zshrc | 2 +- better_anonymity | 3 +- bin/clean | 2 +- bin/homebrew_tap | 2 +- blockips.conf | 2 +- config/bin/apply_basic_settings | 1 - config/bin/apply_default_settings | 2 +- config/bin/homebrew_tap | 2 +- config/bin/install_applications | 2 +- config/bin/install_homebrew_casks | 2 - config/bin/restore_backup | 2 +- docs/papers/README.md | 4 +- docs/papers/guide.md | 94 +- .../audit/audit_acls_files_configure.yaml | 18 +- .../audit/audit_acls_folders_configure.yaml | 16 +- docs/rules/audit/audit_auditd_enabled.yaml | 28 +- .../audit_configure_capacity_notify.yaml | 10 +- .../audit/audit_control_acls_configure.yaml | 4 +- .../audit/audit_control_group_configure.yaml | 2 +- .../audit/audit_control_mode_configure.yaml | 2 +- .../audit/audit_control_owner_configure.yaml | 2 +- docs/rules/audit/audit_enforce_dual_auth.yaml | 6 +- docs/rules/audit/audit_failure_halt.yaml | 26 +- .../audit/audit_files_group_configure.yaml | 18 +- .../audit/audit_files_mode_configure.yaml | 20 +- .../audit/audit_files_owner_configure.yaml | 24 +- .../rules/audit/audit_flags_aa_configure.yaml | 24 +- .../rules/audit/audit_flags_ad_configure.yaml | 28 +- docs/rules/audit/audit_flags_configure.yaml | 2 +- .../rules/audit/audit_flags_ex_configure.yaml | 10 +- .../rules/audit/audit_flags_fd_configure.yaml | 20 +- .../rules/audit/audit_flags_fm_configure.yaml | 14 +- .../audit_flags_fm_failed_configure.yaml | 16 +- .../rules/audit/audit_flags_fr_configure.yaml | 28 +- .../rules/audit/audit_flags_fw_configure.yaml | 30 +- .../rules/audit/audit_flags_lo_configure.yaml | 24 +- .../audit/audit_folder_group_configure.yaml | 18 +- .../audit/audit_folder_owner_configure.yaml | 18 +- .../audit/audit_folders_mode_configure.yaml | 24 +- docs/rules/audit/audit_off_load_records.yaml | 4 +- ...it_record_reduction_report_generation.yaml | 10 +- .../rules/audit/audit_records_processing.yaml | 8 +- .../audit/audit_retention_configure.yaml | 20 +- .../audit_retention_configure_sixty_days.yaml | 6 +- .../audit/audit_settings_failure_notify.yaml | 18 +- .../auth_pam_login_smartcard_enforce.yaml | 20 +- .../auth/auth_pam_su_smartcard_enforce.yaml | 20 +- .../auth/auth_pam_sudo_smartcard_enforce.yaml | 20 +- docs/rules/auth/auth_smartcard_allow.yaml | 8 +- ...rtcard_certificate_trust_enforce_high.yaml | 8 +- ...rd_certificate_trust_enforce_moderate.yaml | 10 +- docs/rules/auth/auth_smartcard_enforce.yaml | 16 +- ...h_ssh_password_authentication_disable.yaml | 12 +- .../icloud/icloud_addressbook_disable.yaml | 16 +- .../icloud_appleid_prefpane_disable.yaml | 22 +- .../icloud/icloud_bookmarks_disable.yaml | 16 +- .../rules/icloud/icloud_calendar_disable.yaml | 22 +- docs/rules/icloud/icloud_drive_disable.yaml | 20 +- .../rules/icloud/icloud_keychain_disable.yaml | 24 +- docs/rules/icloud/icloud_mail_disable.yaml | 16 +- docs/rules/icloud/icloud_notes_disable.yaml | 18 +- docs/rules/icloud/icloud_photos_disable.yaml | 20 +- .../icloud/icloud_private_relay_disable.yaml | 18 +- .../icloud/icloud_reminders_disable.yaml | 18 +- docs/rules/icloud/icloud_sync_disable.yaml | 4 +- docs/rules/os/os_airdrop_disable.yaml | 22 +- docs/rules/os/os_anti_virus_installed.yaml | 6 +- docs/rules/os/os_appleid_prompt_disable.yaml | 22 +- docs/rules/os/os_application_sandboxing.yaml | 4 +- ...s_asl_log_files_owner_group_configure.yaml | 6 +- ...s_asl_log_files_permissions_configure.yaml | 4 +- docs/rules/os/os_auth_peripherals.yaml | 4 +- .../os/os_authenticated_root_enable.yaml | 6 +- docs/rules/os/os_blank_bluray_disable.yaml | 10 +- docs/rules/os/os_blank_cd_disable.yaml | 10 +- docs/rules/os/os_blank_dvd_disable.yaml | 10 +- .../rules/os/os_bluray_read_only_enforce.yaml | 10 +- docs/rules/os/os_bonjour_disable.yaml | 18 +- docs/rules/os/os_burn_support_disable.yaml | 8 +- docs/rules/os/os_calendar_app_disable.yaml | 18 +- docs/rules/os/os_camera_disable.yaml | 2 +- docs/rules/os/os_cd_read_only_enforce.yaml | 10 +- .../os/os_certificate_authority_trust.yaml | 18 +- .../os/os_change_security_attributes.yaml | 6 +- .../os/os_config_data_install_enforce.yaml | 4 +- docs/rules/os/os_continuous_monitoring.yaml | 4 +- docs/rules/os/os_crypto_audit.yaml | 12 +- .../os/os_directory_services_configured.yaml | 6 +- docs/rules/os/os_disk_image_disable.yaml | 10 +- docs/rules/os/os_dvdram_disable.yaml | 10 +- docs/rules/os/os_efi_integrity_validated.yaml | 4 +- .../os/os_enforce_access_restrictions.yaml | 4 +- ...os_erase_content_and_settings_disable.yaml | 4 +- docs/rules/os/os_ess_installed.yaml | 12 +- docs/rules/os/os_facetime_app_disable.yaml | 24 +- docs/rules/os/os_fail_secure_state.yaml | 6 +- .../os/os_filevault_authorized_users.yaml | 6 +- .../os/os_filevault_autologin_disable.yaml | 20 +- .../os/os_firewall_default_deny_require.yaml | 6 +- docs/rules/os/os_firewall_log_enable.yaml | 12 +- .../os/os_firmware_password_require.yaml | 20 +- docs/rules/os/os_gatekeeper_enable.yaml | 20 +- docs/rules/os/os_gatekeeper_rearm.yaml | 6 +- docs/rules/os/os_grant_privs.yaml | 4 +- docs/rules/os/os_guest_folder_removed.yaml | 8 +- docs/rules/os/os_handoff_disable.yaml | 6 +- ...ate_mode_destroyfvkeyonstandby_enable.yaml | 4 +- docs/rules/os/os_hibernate_mode_enable.yaml | 2 +- docs/rules/os/os_home_folders_secure.yaml | 16 +- docs/rules/os/os_httpd_disable.yaml | 22 +- .../os/os_icloud_storage_prompt_disable.yaml | 22 +- docs/rules/os/os_implement_cryptography.yaml | 6 +- .../os/os_implement_memory_protection.yaml | 6 +- docs/rules/os/os_information_validation.yaml | 2 +- .../os_install_log_retention_configure.yaml | 6 +- docs/rules/os/os_ir_support_disable.yaml | 14 +- .../os/os_isolate_security_functions.yaml | 4 +- .../os/os_library_validation_enabled.yaml | 6 +- docs/rules/os/os_limit_dos_attacks.yaml | 4 +- docs/rules/os/os_limit_gui_sessions.yaml | 2 +- docs/rules/os/os_logical_access.yaml | 4 +- docs/rules/os/os_mail_app_disable.yaml | 24 +- .../os/os_malicious_code_prevention.yaml | 22 +- docs/rules/os/os_mdm_require.yaml | 10 +- docs/rules/os/os_messages_app_disable.yaml | 22 +- .../os/os_mobile_file_integrity_enable.yaml | 6 +- ...newsyslog_files_owner_group_configure.yaml | 8 +- ...newsyslog_files_permissions_configure.yaml | 4 +- docs/rules/os/os_nfsd_disable.yaml | 18 +- docs/rules/os/os_nonlocal_maintenance.yaml | 2 +- docs/rules/os/os_notify_account_created.yaml | 4 +- docs/rules/os/os_notify_account_disabled.yaml | 2 +- docs/rules/os/os_notify_account_enable.yaml | 4 +- docs/rules/os/os_notify_account_modified.yaml | 4 +- docs/rules/os/os_notify_account_removal.yaml | 4 +- ...s_notify_unauthorized_baseline_change.yaml | 4 +- .../rules/os/os_parental_controls_enable.yaml | 8 +- .../os/os_password_autofill_disable.yaml | 2 +- docs/rules/os/os_password_hint_remove.yaml | 6 +- .../os/os_password_proximity_disable.yaml | 4 +- .../rules/os/os_password_sharing_disable.yaml | 4 +- docs/rules/os/os_peripherals_identify.yaml | 4 +- .../os_policy_banner_loginwindow_enforce.yaml | 28 +- .../os/os_policy_banner_ssh_configure.yaml | 24 +- .../os/os_policy_banner_ssh_enforce.yaml | 24 +- docs/rules/os/os_prevent_priv_execution.yaml | 6 +- docs/rules/os/os_prevent_priv_functions.yaml | 8 +- .../os_prevent_unauthorized_disclosure.yaml | 6 +- .../os/os_privacy_setup_prompt_disable.yaml | 6 +- ...ibit_remote_activation_collab_devices.yaml | 6 +- docs/rules/os/os_protect_dos_attacks.yaml | 6 +- ..._provide_automated_account_management.yaml | 2 +- ..._reauth_devices_change_authenticators.yaml | 4 +- docs/rules/os/os_recovery_lock_enable.yaml | 16 +- docs/rules/os/os_removable_media_disable.yaml | 12 +- docs/rules/os/os_required_crypto_module.yaml | 4 +- docs/rules/os/os_root_disable.yaml | 6 +- ...os_safari_open_safe_downloads_disable.yaml | 2 +- .../os_screensaver_loginwindow_enforce.yaml | 10 +- docs/rules/os/os_secure_boot_verify.yaml | 6 +- docs/rules/os/os_secure_enclave.yaml | 6 +- docs/rules/os/os_separate_functionality.yaml | 10 +- .../os_show_filename_extensions_enable.yaml | 6 +- docs/rules/os/os_sip_enable.yaml | 24 +- docs/rules/os/os_siri_prompt_disable.yaml | 16 +- .../os/os_skip_screen_time_prompt_enable.yaml | 6 +- .../os/os_skip_unlock_with_watch_enable.yaml | 26 +- docs/rules/os/os_ssh_fips_compliant.yaml | 10 +- ..._ssh_server_alive_count_max_configure.yaml | 6 +- ...s_ssh_server_alive_interval_configure.yaml | 10 +- ...sshd_client_alive_count_max_configure.yaml | 10 +- ..._sshd_client_alive_interval_configure.yaml | 14 +- docs/rules/os/os_sshd_fips_140_ciphers.yaml | 12 +- docs/rules/os/os_sshd_fips_140_macs.yaml | 14 +- docs/rules/os/os_sshd_fips_compliant.yaml | 12 +- ...sshd_key_exchange_algorithm_configure.yaml | 16 +- .../os_sshd_login_grace_time_configure.yaml | 6 +- .../os_sshd_permit_root_login_configure.yaml | 18 +- docs/rules/os/os_sudo_timeout_configure.yaml | 8 +- .../os_sudoers_timestamp_type_configure.yaml | 8 +- docs/rules/os/os_sudoers_tty_configure.yaml | 8 +- docs/rules/os/os_system_read_only.yaml | 6 +- .../os_terminal_secure_keyboard_enable.yaml | 6 +- docs/rules/os/os_tftpd_disable.yaml | 20 +- .../os/os_time_offset_limit_configure.yaml | 8 +- docs/rules/os/os_time_server_enabled.yaml | 16 +- docs/rules/os/os_touchid_prompt_disable.yaml | 4 +- ...os_unlock_active_user_session_disable.yaml | 6 +- .../os/os_user_app_installation_prohibit.yaml | 6 +- docs/rules/os/os_uucp_disable.yaml | 18 +- ...orld_writable_system_folder_configure.yaml | 2 +- docs/rules/pwpolicy/pwpolicy_50_percent.yaml | 10 +- .../pwpolicy/pwpolicy_60_day_enforce.yaml | 20 +- .../pwpolicy_account_inactivity_enforce.yaml | 14 +- .../pwpolicy_account_lockout_enforce.yaml | 18 +- ...pwpolicy_account_lockout_enforce_five.yaml | 6 +- ...olicy_account_lockout_timeout_enforce.yaml | 20 +- .../pwpolicy_alpha_numeric_enforce.yaml | 22 +- .../pwpolicy_emergency_accounts_disable.yaml | 8 +- .../pwpolicy/pwpolicy_history_enforce.yaml | 24 +- .../pwpolicy_history_enforce_fifteen.yaml | 10 +- ...pwpolicy_lower_case_character_enforce.yaml | 16 +- .../pwpolicy_minimum_length_enforce.yaml | 20 +- .../pwpolicy_minimum_lifetime_enforce.yaml | 16 +- .../pwpolicy_prevent_dictionary_words.yaml | 8 +- .../pwpolicy_simple_sequence_disable.yaml | 6 +- .../pwpolicy_special_character_enforce.yaml | 24 +- .../pwpolicy_temporary_accounts_disable.yaml | 4 +- ...mporary_or_emergency_accounts_disable.yaml | 22 +- ...pwpolicy_upper_case_character_enforce.yaml | 16 +- .../supplemental/supplemental_cis_manual.yaml | 10 +- .../supplemental/supplemental_controls.yaml | 32 +- .../supplemental/supplemental_filevault.yaml | 26 +- .../supplemental_firewall_pf.yaml | 18 +- .../supplemental_password_policy.yaml | 14 +- .../supplemental/supplemental_smartcard.yaml | 20 +- .../sysprefs_airplay_receiver_disable.yaml | 12 +- .../sysprefs_apple_watch_unlock_disable.yaml | 14 +- .../sysprefs_automatic_login_disable.yaml | 14 +- .../sysprefs_automatic_logout_enforce.yaml | 3 +- .../sysprefs/sysprefs_bluetooth_disable.yaml | 18 +- .../sysprefs_bluetooth_menu_enable.yaml | 10 +- .../sysprefs_bluetooth_prefpane_disable.yaml | 10 +- .../sysprefs_bluetooth_prefpane_hide.yaml | 10 +- .../sysprefs_bluetooth_sharing_disable.yaml | 13 +- .../sysprefs_bluetooth_unpaired_disable.yaml | 12 +- .../sysprefs_cd_dvd_sharing_disable.yaml | 11 +- .../sysprefs_content_caching_disable.yaml | 8 +- ...prefs_critical_update_install_enforce.yaml | 6 +- .../sysprefs_diagnostics_reports_disable.yaml | 26 +- .../sysprefs/sysprefs_filevault_enforce.yaml | 20 +- .../sysprefs/sysprefs_find_my_disable.yaml | 8 +- .../sysprefs/sysprefs_firewall_enable.yaml | 26 +- ...sysprefs_firewall_stealth_mode_enable.yaml | 22 +- ...ekeeper_identified_developers_allowed.yaml | 20 +- ...sysprefs_gatekeeper_override_disallow.yaml | 22 +- .../sysprefs_guest_access_smb_disable.yaml | 14 +- .../sysprefs_guest_account_disable.yaml | 24 +- .../sysprefs_hot_corners_disable.yaml | 16 +- .../sysprefs/sysprefs_hot_corners_secure.yaml | 10 +- ...sprefs_improve_siri_dictation_disable.yaml | 6 +- ...ysprefs_install_macos_updates_enforce.yaml | 6 +- ...fs_internet_accounts_prefpane_disable.yaml | 22 +- ...prefs_internet_accounts_prefpane_hide.yaml | 10 +- .../sysprefs_internet_sharing_disable.yaml | 22 +- .../sysprefs_location_services_audit.yaml | 14 +- .../sysprefs_location_services_disable.yaml | 24 +- .../sysprefs_location_services_enable.yaml | 14 +- ...fs_loginwindow_loginwindowtext_enable.yaml | 10 +- ...ndow_prompt_username_password_enforce.yaml | 16 +- .../sysprefs_media_sharing_disabled.yaml | 2 +- .../sysprefs_password_hints_disable.yaml | 18 +- ...refs_personalized_advertising_disable.yaml | 8 +- .../sysprefs/sysprefs_power_nap_disable.yaml | 6 +- .../sysprefs_printer_sharing_disable.yaml | 11 +- docs/rules/sysprefs/sysprefs_rae_disable.yaml | 22 +- .../sysprefs_remote_management_disable.yaml | 12 +- .../sysprefs_screen_sharing_disable.yaml | 20 +- ...nsaver_ask_for_password_delay_enforce.yaml | 22 +- ...sysprefs_screensaver_password_enforce.yaml | 20 +- .../sysprefs_screensaver_timeout_enforce.yaml | 20 +- .../rules/sysprefs/sysprefs_siri_disable.yaml | 20 +- .../sysprefs_siri_prefpane_disable.yaml | 14 +- .../sysprefs/sysprefs_siri_prefpane_hide.yaml | 14 +- .../rules/sysprefs/sysprefs_smbd_disable.yaml | 18 +- ...fs_software_update_app_update_enforce.yaml | 2 +- ...refs_software_update_download_enforce.yaml | 2 +- .../sysprefs_software_update_enforce.yaml | 2 +- .../sysprefs_softwareupdate_current.yaml | 6 +- docs/rules/sysprefs/sysprefs_ssh_disable.yaml | 10 +- docs/rules/sysprefs/sysprefs_ssh_enable.yaml | 22 +- ...efs_system_wide_preferences_configure.yaml | 14 +- ...prefs_time_machine_auto_backup_enable.yaml | 14 +- ...refs_time_machine_encrypted_configure.yaml | 14 +- .../sysprefs_time_server_configure.yaml | 18 +- .../sysprefs_time_server_enforce.yaml | 17 +- .../sysprefs_token_removal_enforce.yaml | 16 +- .../sysprefs_touchid_prefpane_disable.yaml | 12 +- .../sysprefs_touchid_prefpane_hide.yaml | 12 +- .../sysprefs_touchid_unlock_disable.yaml | 14 +- .../sysprefs_wake_network_access_disable.yaml | 4 +- ...refs_wallet_applepay_prefpane_disable.yaml | 14 +- ...ysprefs_wallet_applepay_prefpane_hide.yaml | 12 +- .../rules/sysprefs/sysprefs_wifi_disable.yaml | 22 +- ...fi_disable_when_connected_to_ethernet.yaml | 8 +- .../sysprefs/sysprefs_wifi_menu_enable.yaml | 8 +- docs/sections/auditing.yaml | 2 +- docs/sections/authentication.yaml | 4 +- docs/sections/icloud.yaml | 2 +- docs/sections/inherent.yaml | 2 +- docs/sections/macos.yaml | 2 +- docs/sections/not_applicable.yaml | 2 +- docs/sections/passwordpolicy.yaml | 4 +- docs/sections/permanent.yaml | 2 +- docs/sections/srg.yaml | 2 +- docs/sections/supplemental.yaml | 2 +- docs/sections/systempreferences.yaml | 2 +- docs/templates/adoc_acronyms.adoc | 4 +- docs/templates/adoc_additional_docs.adoc | 4 +- docs/templates/adoc_authors.adoc | 2 +- docs/templates/adoc_foreword.adoc | 2 +- docs/templates/adoc_rules_table_footer.adoc | 2 +- docs/templates/adoc_rules_table_header.adoc | 2 +- docs/templates/adoc_scope.adoc | 2 +- docs/templates/adoc_section.adoc | 1 - docs/templates/adoc_supplemental.adoc | 1 - docs/templates/asciidoctor.css | 2 +- docs/templates/pdf-theme.yml | 4 +- etc/hosts/blocklist.txt | 2 +- etc/pf/sample-pf.conf | 2 +- etc/privoxy/user.action | 33 +- etc/privoxy/user.filter | 21 +- firefox | 510 +-- firefox.user.js | 614 +-- gitconfig | 2 +- homebrew.mxcl.dnsmasq.plist | 2 +- scripts/KNOWN_ISSUES | 4 +- scripts/anon.sh | 6 +- scripts/argparse-example.sh | 16 +- scripts/base.sh | 59 +- scripts/better-anonymity.sh | 24 +- scripts/cli.sh | 8 +- scripts/dnsmasq-dhcp.sh | 2 +- scripts/enablePF-mscp.sh | 8 +- scripts/generate_baseline.py | 272 +- scripts/generate_guidance.py | 1337 ++++--- scripts/generate_mapping.py | 515 ++- scripts/generate_oval.py | 3536 ++++++++++++----- scripts/mac | 2 +- scripts/macos-dns.sh | 2 +- scripts/pf-blocklist.sh | 8 +- scripts/pr.sh | 2 +- scripts/privacy-script.sh | 4 +- scripts/secure.sh | 2 +- scripts/setup.sh | 3 +- scripts/subcommand.sh | 24 +- torrc | 2 +- user.js | 1334 ++++--- usr/local/etc/dnscrypt-blacklist.txt | 1 - 344 files changed, 7563 insertions(+), 5543 deletions(-) diff --git a/.curlrc b/.curlrc index 2ad17c7..15c1fb9 100644 --- a/.curlrc +++ b/.curlrc @@ -10,4 +10,4 @@ progress-bar referer = ";auto" remote-time show-error -verbose \ No newline at end of file +verbose diff --git a/.gnupg/gpg-agent.conf b/.gnupg/gpg-agent.conf index d16f8d4..f396cbf 100644 --- a/.gnupg/gpg-agent.conf +++ b/.gnupg/gpg-agent.conf @@ -10,4 +10,4 @@ pinentry-program /usr/bin/pinentry-curses #pinentry-program /usr/bin/pinentry-qt #pinentry-program /usr/local/bin/pinentry-curses #pinentry-program /usr/local/bin/pinentry-mac -#pinentry-program /opt/homebrew/bin/pinentry-mac \ No newline at end of file +#pinentry-program /opt/homebrew/bin/pinentry-mac diff --git a/.gnupg/gpg.conf b/.gnupg/gpg.conf index 5ee93c7..68bc7cc 100644 --- a/.gnupg/gpg.conf +++ b/.gnupg/gpg.conf @@ -57,4 +57,4 @@ throw-keyids # Verbose output #verbose # Show expired subkeys -#list-options show-unusable-subkeys \ No newline at end of file +#list-options show-unusable-subkeys diff --git a/.vscode/PythonImportHelper-v2-Completion.json b/.vscode/PythonImportHelper-v2-Completion.json index 442d2b5..78c6cbc 100644 --- a/.vscode/PythonImportHelper-v2-Completion.json +++ b/.vscode/PythonImportHelper-v2-Completion.json @@ -1,569 +1,569 @@ [ - { - "label": "os.path", - "kind": 6, - "isExtraImport": true, - "importPath": "os.path", - "description": "os.path", - "detail": "os.path", - "documentation": {} - }, - { - "label": "glob", - "kind": 6, - "isExtraImport": true, - "importPath": "glob", - "description": "glob", - "detail": "glob", - "documentation": {} - }, - { - "label": "os", - "kind": 6, - "isExtraImport": true, - "importPath": "os", - "description": "os", - "detail": "os", - "documentation": {} - }, - { - "label": "yaml", - "kind": 6, - "isExtraImport": true, - "importPath": "yaml", - "description": "yaml", - "detail": "yaml", - "documentation": {} - }, - { - "label": "argparse", - "kind": 6, - "isExtraImport": true, - "importPath": "argparse", - "description": "argparse", - "detail": "argparse", - "documentation": {} - }, - { - "label": "types", - "kind": 6, - "isExtraImport": true, - "importPath": "types", - "description": "types", - "detail": "types", - "documentation": {} - }, - { - "label": "sys", - "kind": 6, - "isExtraImport": true, - "importPath": "sys", - "description": "sys", - "detail": "sys", - "documentation": {} - }, - { - "label": "plistlib", - "kind": 6, - "isExtraImport": true, - "importPath": "plistlib", - "description": "plistlib", - "detail": "plistlib", - "documentation": {} - }, - { - "label": "xlwt", - "kind": 6, - "isExtraImport": true, - "importPath": "xlwt", - "description": "xlwt", - "detail": "xlwt", - "documentation": {} - }, - { - "label": "Workbook", - "importPath": "xlwt", - "description": "xlwt", - "isExtraImport": true, - "detail": "xlwt", - "documentation": {} - }, - { - "label": "io", - "kind": 6, - "isExtraImport": true, - "importPath": "io", - "description": "io", - "detail": "io", - "documentation": {} - }, - { - "label": "re", - "kind": 6, - "isExtraImport": true, - "importPath": "re", - "description": "re", - "detail": "re", - "documentation": {} - }, - { - "label": "subprocess", - "kind": 6, - "isExtraImport": true, - "importPath": "subprocess", - "description": "subprocess", - "detail": "subprocess", - "documentation": {} - }, - { - "label": "logging", - "kind": 6, - "isExtraImport": true, - "importPath": "logging", - "description": "logging", - "detail": "logging", - "documentation": {} - }, - { - "label": "tempfile", - "kind": 6, - "isExtraImport": true, - "importPath": "tempfile", - "description": "tempfile", - "detail": "tempfile", - "documentation": {} - }, - { - "label": "Template", - "importPath": "string", - "description": "string", - "isExtraImport": true, - "detail": "string", - "documentation": {} - }, - { - "label": "groupby", - "importPath": "itertools", - "description": "itertools", - "isExtraImport": true, - "detail": "itertools", - "documentation": {} - }, - { - "label": "uuid4", - "importPath": "uuid", - "description": "uuid", - "isExtraImport": true, - "detail": "uuid", - "documentation": {} - }, - { - "label": "namedtuple", - "importPath": "collections", - "description": "collections", - "isExtraImport": true, - "detail": "collections", - "documentation": {} - }, - { - "label": "csv", - "kind": 6, - "isExtraImport": true, - "importPath": "csv", - "description": "csv", - "detail": "csv", - "documentation": {} - }, - { - "label": "Path", - "importPath": "pathlib", - "description": "pathlib", - "isExtraImport": true, - "detail": "pathlib", - "documentation": {} - }, - { - "label": "Path", - "importPath": "pathlib", - "description": "pathlib", - "isExtraImport": true, - "detail": "pathlib", - "documentation": {} - }, - { - "label": "warnings", - "kind": 6, - "isExtraImport": true, - "importPath": "warnings", - "description": "warnings", - "detail": "warnings", - "documentation": {} - }, - { - "label": "datetime", - "importPath": "datetime", - "description": "datetime", - "isExtraImport": true, - "detail": "datetime", - "documentation": {} - }, - { - "label": "shutil", - "kind": 6, - "isExtraImport": true, - "importPath": "shutil", - "description": "shutil", - "detail": "shutil", - "documentation": {} - }, - { - "label": "sleep", - "importPath": "time", - "description": "time", - "isExtraImport": true, - "detail": "time", - "documentation": {} - }, - { - "label": "MacSecurityRule", - "kind": 6, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "class MacSecurityRule():\n def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, disa_stig, srg, tags, result_value, mobileconfig, mobileconfig_info):\n self.rule_title = title\n self.rule_id = rule_id\n self.rule_severity = severity\n self.rule_discussion = discussion\n self.rule_check = check\n self.rule_fix = fix\n self.rule_cci = cci\n self.rule_cce = cce", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "get_rule_yaml", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def get_rule_yaml(rule_file, custom=False):\n \"\"\" Takes a rule file, checks for a custom version, and returns the yaml for the rule\n \"\"\"\n resulting_yaml = {}\n names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]\n file_name = os.path.basename(rule_file)\n # if file_name in names:\n # print(f\"Custom settings found for rule: {rule_file}\")\n # try:\n # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "collect_rules", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def collect_rules():\n \"\"\"Takes a baseline yaml file and parses the rules, returns a list of containing rules\n \"\"\"\n all_rules = []\n #expected keys and references\n keys = ['mobileconfig',\n 'macOS',\n 'severity',\n 'title',\n 'check',", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "create_args", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def create_args():\n \"\"\"configure the arguments used in the script, returns the parsed arguments\n \"\"\"\n parser = argparse.ArgumentParser(\n description='Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.')\n parser.add_argument(\"-c\", \"--controls\", default=None,\n help=\"Output the 800-53 controls covered by the rules.\", action=\"store_true\")\n parser.add_argument(\"-k\", \"--keyword\", default=None,\n help=\"Keyword tag to collect rules containing the tag.\", action=\"store\")\n parser.add_argument(\"-l\", \"--list_tags\", default=None,", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "section_title", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def section_title(section_name):\n titles = {\n \"auth\": \"authentication\",\n \"audit\": \"auditing\",\n \"os\": \"macos\",\n \"pwpolicy\": \"passwordpolicy\",\n \"icloud\": \"icloud\",\n \"sysprefs\": \"systempreferences\",\n \"srg\": \"srg\"\n }", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "get_controls", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def get_controls(all_rules):\n all_controls = []\n for rule in all_rules:\n for control in rule.rule_80053r4:\n if control not in all_controls:\n all_controls.append(control)\n all_controls.sort()\n return all_controls\ndef available_tags(all_rules):\n all_tags = []", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "available_tags", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def available_tags(all_rules):\n all_tags = []\n for rule in all_rules:\n for tag in rule.rule_tags:\n all_tags.append(tag)\n available_tags = []\n for tag in all_tags:\n if tag not in available_tags:\n available_tags.append(tag)\n available_tags.append(\"all_rules\")", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "output_baseline", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def output_baseline(rules, os, keyword):\n inherent_rules = []\n permanent_rules = []\n na_rules = []\n supplemental_rules = []\n other_rules = []\n sections = []\n output_text = \"\"\n for rule in rules:\n if \"inherent\" in rule.rule_tags:", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "main", - "kind": 2, - "importPath": "docs.scripts.generate_baseline", - "description": "docs.scripts.generate_baseline", - "peekOfCode": "def main():\n args = create_args()\n try:\n # output_basename = os.path.basename(args.baseline.name)\n # output_filename = os.path.splitext(output_basename)[0]\n # baseline_name = os.path.splitext(output_basename)[0].capitalize()\n file_dir = os.path.dirname(os.path.abspath(__file__))\n parent_dir = os.path.dirname(file_dir)\n # stash current working directory\n original_working_directory = os.getcwd()", - "detail": "docs.scripts.generate_baseline", - "documentation": {} - }, - { - "label": "MacSecurityRule", - "kind": 6, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "class MacSecurityRule():\n def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized):\n self.rule_title = title\n self.rule_id = rule_id\n self.rule_severity = severity\n self.rule_discussion = discussion\n self.rule_check = check\n self.rule_fix = fix\n self.rule_cci = cci\n self.rule_cce = cce", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "AdocTemplate", - "kind": 6, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "class AdocTemplate:\n def __init__(self, name, path, template_file):\n self.name = name\n self.path = path\n self.template_file = template_file\nclass PayloadDict:\n \"\"\"Class to create and manipulate Configuration Profiles.\n The actual plist content can be accessed as a dictionary via the 'data' attribute.\n \"\"\"\n def __init__(self, identifier, uuid=False, removal_allowed=False, description='', organization='', displayname=''):", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "PayloadDict", - "kind": 6, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "class PayloadDict:\n \"\"\"Class to create and manipulate Configuration Profiles.\n The actual plist content can be accessed as a dictionary via the 'data' attribute.\n \"\"\"\n def __init__(self, identifier, uuid=False, removal_allowed=False, description='', organization='', displayname=''):\n self.data = {}\n self.data['PayloadVersion'] = 1\n self.data['PayloadOrganization'] = organization\n if uuid:\n self.data['PayloadUUID'] = uuid", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "ulify", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def ulify(elements):\n string = \"\\n\"\n for s in elements:\n string += \"* \" + str(s) + \"\\n\"\n return string\ndef group_ulify(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "group_ulify", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def group_ulify(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]\ndef group_ulify_comment(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "group_ulify_comment", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def group_ulify_comment(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]\ndef get_check_code(check_yaml):\n try:\n check_string = check_yaml.split(\"[source,bash]\")[1]\n except:\n return check_yaml", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "get_check_code", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def get_check_code(check_yaml):\n try:\n check_string = check_yaml.split(\"[source,bash]\")[1]\n except:\n return check_yaml\n #print check_string\n check_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', check_string)\n #print(check_code.group(1).rstrip())\n return(check_code.group(1).strip())\ndef quotify(fix_code):", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "quotify", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def quotify(fix_code):\n string = fix_code.replace(\"'\", \"\\'\\\"\\'\\\"\\'\")\n string = string.replace(\"%\", \"%%\")\n return string\ndef get_fix_code(fix_yaml):\n fix_string = fix_yaml.split(\"[source,bash]\")[1]\n fix_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', fix_string)\n return(fix_code.group(1))\ndef format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "get_fix_code", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def get_fix_code(fix_yaml):\n fix_string = fix_yaml.split(\"[source,bash]\")[1]\n fix_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', fix_string)\n return(fix_code.group(1))\ndef format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.\n \"\"\"\n rulefix = \"\"\n for domain, settings in mobileconfig.items():\n if domain == \"com.apple.ManagedClient.preferences\":", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "format_mobileconfig_fix", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.\n \"\"\"\n rulefix = \"\"\n for domain, settings in mobileconfig.items():\n if domain == \"com.apple.ManagedClient.preferences\":\n rulefix = rulefix + \\\n (f\"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types.\\n\\n\")\n rulefix = rulefix + format_mobileconfig_fix(settings)\n else:", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "makeNewUUID", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def makeNewUUID():\n return str(uuid4())\ndef concatenate_payload_settings(settings):\n \"\"\"Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key\n \"\"\"\n settings_list = []\n settings_dict = {}\n for item in settings:\n for key, value in item.items():\n if isinstance(value, list):", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "concatenate_payload_settings", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def concatenate_payload_settings(settings):\n \"\"\"Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key\n \"\"\"\n settings_list = []\n settings_dict = {}\n for item in settings:\n for key, value in item.items():\n if isinstance(value, list):\n settings_dict.setdefault(key, []).append(value[0])\n else:", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "generate_profiles", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''):\n \"\"\"Generate the configuration profiles for the rules in the provided baseline YAML file\n \"\"\"\n organization = \"macOS Security Compliance Project\"\n displayname = f\"macOS {baseline_name} Baseline settings\"\n # import profile_manifests.plist\n manifests_file = os.path.join(\n parent_dir, 'includes', 'supported_payloads.yaml')\n with open(manifests_file) as r:\n manifests = yaml.load(r, Loader=yaml.SafeLoader)", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "default_audit_plist", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def default_audit_plist(baseline_name, build_path, baseline_yaml):\n \"\"\"\"Generate the default audit plist file to define exemptions\n \"\"\"\n # Output folder\n plist_output_path = os.path.join(\n f'{build_path}', 'preferences')\n if not (os.path.isdir(plist_output_path)):\n try:\n os.makedirs(plist_output_path)\n except OSError:", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "generate_script", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def generate_script(baseline_name, build_path, baseline_yaml, reference):\n \"\"\"Generates the zsh script from the rules in the baseline YAML\n \"\"\"\n compliance_script_file = open(\n build_path + '/' + baseline_name + '_compliance.sh', 'w')\n check_function_string = \"\"\n fix_function_string = \"\"\n # create header of fix zsh script\n check_zsh_header = f\"\"\"#!/bin/zsh\n## This script will attempt to audit all of the settings based on the installed profile.", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "get_rule_yaml", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def get_rule_yaml(rule_file, custom=False):\n \"\"\" Takes a rule file, checks for a custom version, and returns the yaml for the rule\n \"\"\"\n resulting_yaml = {}\n names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]\n file_name = os.path.basename(rule_file)\n # if file_name in names:\n # print(f\"Custom settings found for rule: {rule_file}\")\n # try:\n # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "generate_xls", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def generate_xls(baseline_name, build_path, baseline_yaml):\n \"\"\"Using the baseline yaml file, create an XLS document containing the YAML fields\n \"\"\"\n baseline_rules = create_rules(baseline_yaml)\n # File path setup\n file_dir = os.path.dirname(os.path.abspath(__file__))\n parent_dir = os.path.dirname(file_dir)\n # Output files\n xls_output_file = f\"{build_path}/{baseline_name}.xls\"\n wb = Workbook()", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "create_rules", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def create_rules(baseline_yaml):\n \"\"\"Takes a baseline yaml file and parses the rules, returns a list of containing rules\n \"\"\"\n all_rules = []\n #expected keys and references\n keys = ['mobileconfig',\n 'macOS',\n 'severity',\n 'title',\n 'check',", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "create_args", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def create_args():\n \"\"\"configure the arguments used in the script, returns the parsed arguements\n \"\"\"\n parser = argparse.ArgumentParser(\n description='Given a baseline, create guidance documents and files.')\n parser.add_argument(\"baseline\", default=None,\n help=\"Baseline YAML file used to create the guide.\", type=argparse.FileType('rt'))\n parser.add_argument(\"-c\", \"--clean\", default=None,\n help=argparse.SUPPRESS, action=\"store_true\")\n parser.add_argument(\"-d\", \"--debug\", default=None,", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "is_asciidoctor_installed", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def is_asciidoctor_installed():\n \"\"\"Checks to see if the ruby gem for asciidoctor is installed\n \"\"\"\n #cmd = \"gem list asciidoctor -i\"\n cmd = \"which asciidoctor\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n # return path to asciidoctor\n return output.decode(\"utf-8\").strip()\ndef is_asciidoctor_pdf_installed():", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "is_asciidoctor_pdf_installed", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def is_asciidoctor_pdf_installed():\n \"\"\"Checks to see if the ruby gem for asciidoctor-pdf is installed\n \"\"\"\n #cmd = \"gem list asciidoctor-pdf -i\"\n cmd = \"which asciidoctor-pdf\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n return output.decode(\"utf-8\").strip()\ndef verify_signing_hash(hash):\n \"\"\"Attempts to validate the existence of the certificate provided by the hash", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "verify_signing_hash", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def verify_signing_hash(hash):\n \"\"\"Attempts to validate the existence of the certificate provided by the hash\n \"\"\"\n with tempfile.NamedTemporaryFile(mode=\"w\") as in_file:\n unsigned_tmp_file_path=in_file.name\n in_file.write(\"temporary file for signing\")\n cmd = f\"security cms -S -Z {hash} -i {unsigned_tmp_file_path}\"\n FNULL = open(os.devnull, 'w')\n process = subprocess.Popen(cmd.split(), stdout=FNULL, stderr=FNULL)\n output, error = process.communicate()", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "sign_config_profile", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def sign_config_profile(in_file, out_file, hash):\n \"\"\"Signs the configuration profile using the identity associated with the provided hash\n \"\"\"\n cmd = f\"security cms -S -Z {hash} -i {in_file} -o {out_file}\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n print(f\"Signed Configuration profile written to {out_file}\")\n return output.decode(\"utf-8\")\ndef parse_custom_references(reference):\n string = \"\\n\"", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "parse_custom_references", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def parse_custom_references(reference):\n string = \"\\n\"\n for item in reference:\n if isinstance(reference[item], list):\n string += \"!\" + str(item) + \"\\n!\\n\"\n for i in reference[item]:\n string += \"* \" + str(i) + \"\\n\"\n else:\n string += \"!\" + str(item) + \"!* \" + str(reference[item]) + \"\\n\"\n return string", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "parse_cis_references", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def parse_cis_references(reference):\n string = \"\\n\"\n for item in reference:\n if isinstance(reference[item], list):\n string += \"!CIS \" + str(item).title() + \"\\n!\\n\"\n string += \"* \"\n for i in reference[item]:\n string += str(i) + \", \"\n string = string[:-2] + \"\\n\"\n else:", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "main", - "kind": 2, - "importPath": "docs.scripts.generate_guidance", - "description": "docs.scripts.generate_guidance", - "peekOfCode": "def main():\n args = create_args()\n if args.debug:\n logging.basicConfig(level=logging.DEBUG)\n else:\n logging.basicConfig(level=logging.WARNING)\n try:\n output_basename = os.path.basename(args.baseline.name)\n output_filename = os.path.splitext(output_basename)[0]\n baseline_name = os.path.splitext(output_basename)[0]#.capitalize()", - "detail": "docs.scripts.generate_guidance", - "documentation": {} - }, - { - "label": "sort_nicely", - "kind": 2, - "importPath": "docs.scripts.generate_mapping", - "description": "docs.scripts.generate_mapping", - "peekOfCode": "def sort_nicely( l ):\n# \"\"\" Sort the given list in the way that humans expect.\n# \"\"\"\n convert = lambda text: int(text) if text.isdigit() else text\n alphanum_key = lambda key: [ convert(c) for c in re.split('([0-9]+)', key) ]\n l.sort( key=alphanum_key )\ndef main():\n file_dir = os.path.dirname(os.path.abspath(__file__))\n os.chdir(file_dir) \n nist_header = \"\"", - "detail": "docs.scripts.generate_mapping", - "documentation": {} - }, - { - "label": "main", - "kind": 2, - "importPath": "docs.scripts.generate_mapping", - "description": "docs.scripts.generate_mapping", - "peekOfCode": "def main():\n file_dir = os.path.dirname(os.path.abspath(__file__))\n os.chdir(file_dir) \n nist_header = \"\"\n other_header = \"\"\n sub_directory = \"\"\n def dir_path(string):\n if os.path.isdir(string):\n return string\n else:", - "detail": "docs.scripts.generate_mapping", - "documentation": {} - }, - { - "label": "main", - "kind": 2, - "importPath": "docs.scripts.generate_oval", - "description": "docs.scripts.generate_oval", - "peekOfCode": "def main():\n now = datetime.now()\n date_time_string = now.strftime(\"%Y-%m-%dT%H:%M:%S\")\n output = \"\"\n parser = argparse.ArgumentParser(description='Given a profile, create oval checks.')\n parser.add_argument(\"baseline\", default=None, help=\"Baseline YAML file used to create the oval.\", type=argparse.FileType('rt'))\n results = parser.parse_args()\n try:\n output_basename = os.path.basename(results.baseline.name)\n output_filename = os.path.splitext(output_basename)[0]", - "detail": "docs.scripts.generate_oval", - "documentation": {} - } -] \ No newline at end of file + { + "label": "os.path", + "kind": 6, + "isExtraImport": true, + "importPath": "os.path", + "description": "os.path", + "detail": "os.path", + "documentation": {} + }, + { + "label": "glob", + "kind": 6, + "isExtraImport": true, + "importPath": "glob", + "description": "glob", + "detail": "glob", + "documentation": {} + }, + { + "label": "os", + "kind": 6, + "isExtraImport": true, + "importPath": "os", + "description": "os", + "detail": "os", + "documentation": {} + }, + { + "label": "yaml", + "kind": 6, + "isExtraImport": true, + "importPath": "yaml", + "description": "yaml", + "detail": "yaml", + "documentation": {} + }, + { + "label": "argparse", + "kind": 6, + "isExtraImport": true, + "importPath": "argparse", + "description": "argparse", + "detail": "argparse", + "documentation": {} + }, + { + "label": "types", + "kind": 6, + "isExtraImport": true, + "importPath": "types", + "description": "types", + "detail": "types", + "documentation": {} + }, + { + "label": "sys", + "kind": 6, + "isExtraImport": true, + "importPath": "sys", + "description": "sys", + "detail": "sys", + "documentation": {} + }, + { + "label": "plistlib", + "kind": 6, + "isExtraImport": true, + "importPath": "plistlib", + "description": "plistlib", + "detail": "plistlib", + "documentation": {} + }, + { + "label": "xlwt", + "kind": 6, + "isExtraImport": true, + "importPath": "xlwt", + "description": "xlwt", + "detail": "xlwt", + "documentation": {} + }, + { + "label": "Workbook", + "importPath": "xlwt", + "description": "xlwt", + "isExtraImport": true, + "detail": "xlwt", + "documentation": {} + }, + { + "label": "io", + "kind": 6, + "isExtraImport": true, + "importPath": "io", + "description": "io", + "detail": "io", + "documentation": {} + }, + { + "label": "re", + "kind": 6, + "isExtraImport": true, + "importPath": "re", + "description": "re", + "detail": "re", + "documentation": {} + }, + { + "label": "subprocess", + "kind": 6, + "isExtraImport": true, + "importPath": "subprocess", + "description": "subprocess", + "detail": "subprocess", + "documentation": {} + }, + { + "label": "logging", + "kind": 6, + "isExtraImport": true, + "importPath": "logging", + "description": "logging", + "detail": "logging", + "documentation": {} + }, + { + "label": "tempfile", + "kind": 6, + "isExtraImport": true, + "importPath": "tempfile", + "description": "tempfile", + "detail": "tempfile", + "documentation": {} + }, + { + "label": "Template", + "importPath": "string", + "description": "string", + "isExtraImport": true, + "detail": "string", + "documentation": {} + }, + { + "label": "groupby", + "importPath": "itertools", + "description": "itertools", + "isExtraImport": true, + "detail": "itertools", + "documentation": {} + }, + { + "label": "uuid4", + "importPath": "uuid", + "description": "uuid", + "isExtraImport": true, + "detail": "uuid", + "documentation": {} + }, + { + "label": "namedtuple", + "importPath": "collections", + "description": "collections", + "isExtraImport": true, + "detail": "collections", + "documentation": {} + }, + { + "label": "csv", + "kind": 6, + "isExtraImport": true, + "importPath": "csv", + "description": "csv", + "detail": "csv", + "documentation": {} + }, + { + "label": "Path", + "importPath": "pathlib", + "description": "pathlib", + "isExtraImport": true, + "detail": "pathlib", + "documentation": {} + }, + { + "label": "Path", + "importPath": "pathlib", + "description": "pathlib", + "isExtraImport": true, + "detail": "pathlib", + "documentation": {} + }, + { + "label": "warnings", + "kind": 6, + "isExtraImport": true, + "importPath": "warnings", + "description": "warnings", + "detail": "warnings", + "documentation": {} + }, + { + "label": "datetime", + "importPath": "datetime", + "description": "datetime", + "isExtraImport": true, + "detail": "datetime", + "documentation": {} + }, + { + "label": "shutil", + "kind": 6, + "isExtraImport": true, + "importPath": "shutil", + "description": "shutil", + "detail": "shutil", + "documentation": {} + }, + { + "label": "sleep", + "importPath": "time", + "description": "time", + "isExtraImport": true, + "detail": "time", + "documentation": {} + }, + { + "label": "MacSecurityRule", + "kind": 6, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "class MacSecurityRule():\n def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, disa_stig, srg, tags, result_value, mobileconfig, mobileconfig_info):\n self.rule_title = title\n self.rule_id = rule_id\n self.rule_severity = severity\n self.rule_discussion = discussion\n self.rule_check = check\n self.rule_fix = fix\n self.rule_cci = cci\n self.rule_cce = cce", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "get_rule_yaml", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def get_rule_yaml(rule_file, custom=False):\n \"\"\" Takes a rule file, checks for a custom version, and returns the yaml for the rule\n \"\"\"\n resulting_yaml = {}\n names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]\n file_name = os.path.basename(rule_file)\n # if file_name in names:\n # print(f\"Custom settings found for rule: {rule_file}\")\n # try:\n # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "collect_rules", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def collect_rules():\n \"\"\"Takes a baseline yaml file and parses the rules, returns a list of containing rules\n \"\"\"\n all_rules = []\n #expected keys and references\n keys = ['mobileconfig',\n 'macOS',\n 'severity',\n 'title',\n 'check',", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "create_args", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def create_args():\n \"\"\"configure the arguments used in the script, returns the parsed arguments\n \"\"\"\n parser = argparse.ArgumentParser(\n description='Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.')\n parser.add_argument(\"-c\", \"--controls\", default=None,\n help=\"Output the 800-53 controls covered by the rules.\", action=\"store_true\")\n parser.add_argument(\"-k\", \"--keyword\", default=None,\n help=\"Keyword tag to collect rules containing the tag.\", action=\"store\")\n parser.add_argument(\"-l\", \"--list_tags\", default=None,", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "section_title", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def section_title(section_name):\n titles = {\n \"auth\": \"authentication\",\n \"audit\": \"auditing\",\n \"os\": \"macos\",\n \"pwpolicy\": \"passwordpolicy\",\n \"icloud\": \"icloud\",\n \"sysprefs\": \"systempreferences\",\n \"srg\": \"srg\"\n }", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "get_controls", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def get_controls(all_rules):\n all_controls = []\n for rule in all_rules:\n for control in rule.rule_80053r4:\n if control not in all_controls:\n all_controls.append(control)\n all_controls.sort()\n return all_controls\ndef available_tags(all_rules):\n all_tags = []", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "available_tags", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def available_tags(all_rules):\n all_tags = []\n for rule in all_rules:\n for tag in rule.rule_tags:\n all_tags.append(tag)\n available_tags = []\n for tag in all_tags:\n if tag not in available_tags:\n available_tags.append(tag)\n available_tags.append(\"all_rules\")", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "output_baseline", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def output_baseline(rules, os, keyword):\n inherent_rules = []\n permanent_rules = []\n na_rules = []\n supplemental_rules = []\n other_rules = []\n sections = []\n output_text = \"\"\n for rule in rules:\n if \"inherent\" in rule.rule_tags:", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "main", + "kind": 2, + "importPath": "docs.scripts.generate_baseline", + "description": "docs.scripts.generate_baseline", + "peekOfCode": "def main():\n args = create_args()\n try:\n # output_basename = os.path.basename(args.baseline.name)\n # output_filename = os.path.splitext(output_basename)[0]\n # baseline_name = os.path.splitext(output_basename)[0].capitalize()\n file_dir = os.path.dirname(os.path.abspath(__file__))\n parent_dir = os.path.dirname(file_dir)\n # stash current working directory\n original_working_directory = os.getcwd()", + "detail": "docs.scripts.generate_baseline", + "documentation": {} + }, + { + "label": "MacSecurityRule", + "kind": 6, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "class MacSecurityRule():\n def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized):\n self.rule_title = title\n self.rule_id = rule_id\n self.rule_severity = severity\n self.rule_discussion = discussion\n self.rule_check = check\n self.rule_fix = fix\n self.rule_cci = cci\n self.rule_cce = cce", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "AdocTemplate", + "kind": 6, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "class AdocTemplate:\n def __init__(self, name, path, template_file):\n self.name = name\n self.path = path\n self.template_file = template_file\nclass PayloadDict:\n \"\"\"Class to create and manipulate Configuration Profiles.\n The actual plist content can be accessed as a dictionary via the 'data' attribute.\n \"\"\"\n def __init__(self, identifier, uuid=False, removal_allowed=False, description='', organization='', displayname=''):", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "PayloadDict", + "kind": 6, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "class PayloadDict:\n \"\"\"Class to create and manipulate Configuration Profiles.\n The actual plist content can be accessed as a dictionary via the 'data' attribute.\n \"\"\"\n def __init__(self, identifier, uuid=False, removal_allowed=False, description='', organization='', displayname=''):\n self.data = {}\n self.data['PayloadVersion'] = 1\n self.data['PayloadOrganization'] = organization\n if uuid:\n self.data['PayloadUUID'] = uuid", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "ulify", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def ulify(elements):\n string = \"\\n\"\n for s in elements:\n string += \"* \" + str(s) + \"\\n\"\n return string\ndef group_ulify(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "group_ulify", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def group_ulify(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]\ndef group_ulify_comment(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "group_ulify_comment", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def group_ulify_comment(elements):\n string = \"\\n * \"\n for s in elements:\n string += str(s) + \", \"\n return string[:-2]\ndef get_check_code(check_yaml):\n try:\n check_string = check_yaml.split(\"[source,bash]\")[1]\n except:\n return check_yaml", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "get_check_code", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def get_check_code(check_yaml):\n try:\n check_string = check_yaml.split(\"[source,bash]\")[1]\n except:\n return check_yaml\n #print check_string\n check_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', check_string)\n #print(check_code.group(1).rstrip())\n return(check_code.group(1).strip())\ndef quotify(fix_code):", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "quotify", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def quotify(fix_code):\n string = fix_code.replace(\"'\", \"\\'\\\"\\'\\\"\\'\")\n string = string.replace(\"%\", \"%%\")\n return string\ndef get_fix_code(fix_yaml):\n fix_string = fix_yaml.split(\"[source,bash]\")[1]\n fix_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', fix_string)\n return(fix_code.group(1))\ndef format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "get_fix_code", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def get_fix_code(fix_yaml):\n fix_string = fix_yaml.split(\"[source,bash]\")[1]\n fix_code = re.search('(?:----((?:.*?\\r?\\n?)*)----)+', fix_string)\n return(fix_code.group(1))\ndef format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.\n \"\"\"\n rulefix = \"\"\n for domain, settings in mobileconfig.items():\n if domain == \"com.apple.ManagedClient.preferences\":", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "format_mobileconfig_fix", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def format_mobileconfig_fix(mobileconfig):\n \"\"\"Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.\n \"\"\"\n rulefix = \"\"\n for domain, settings in mobileconfig.items():\n if domain == \"com.apple.ManagedClient.preferences\":\n rulefix = rulefix + \\\n (f\"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types.\\n\\n\")\n rulefix = rulefix + format_mobileconfig_fix(settings)\n else:", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "makeNewUUID", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def makeNewUUID():\n return str(uuid4())\ndef concatenate_payload_settings(settings):\n \"\"\"Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key\n \"\"\"\n settings_list = []\n settings_dict = {}\n for item in settings:\n for key, value in item.items():\n if isinstance(value, list):", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "concatenate_payload_settings", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def concatenate_payload_settings(settings):\n \"\"\"Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key\n \"\"\"\n settings_list = []\n settings_dict = {}\n for item in settings:\n for key, value in item.items():\n if isinstance(value, list):\n settings_dict.setdefault(key, []).append(value[0])\n else:", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "generate_profiles", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''):\n \"\"\"Generate the configuration profiles for the rules in the provided baseline YAML file\n \"\"\"\n organization = \"macOS Security Compliance Project\"\n displayname = f\"macOS {baseline_name} Baseline settings\"\n # import profile_manifests.plist\n manifests_file = os.path.join(\n parent_dir, 'includes', 'supported_payloads.yaml')\n with open(manifests_file) as r:\n manifests = yaml.load(r, Loader=yaml.SafeLoader)", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "default_audit_plist", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def default_audit_plist(baseline_name, build_path, baseline_yaml):\n \"\"\"\"Generate the default audit plist file to define exemptions\n \"\"\"\n # Output folder\n plist_output_path = os.path.join(\n f'{build_path}', 'preferences')\n if not (os.path.isdir(plist_output_path)):\n try:\n os.makedirs(plist_output_path)\n except OSError:", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "generate_script", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def generate_script(baseline_name, build_path, baseline_yaml, reference):\n \"\"\"Generates the zsh script from the rules in the baseline YAML\n \"\"\"\n compliance_script_file = open(\n build_path + '/' + baseline_name + '_compliance.sh', 'w')\n check_function_string = \"\"\n fix_function_string = \"\"\n # create header of fix zsh script\n check_zsh_header = f\"\"\"#!/bin/zsh\n## This script will attempt to audit all of the settings based on the installed profile.", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "get_rule_yaml", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def get_rule_yaml(rule_file, custom=False):\n \"\"\" Takes a rule file, checks for a custom version, and returns the yaml for the rule\n \"\"\"\n resulting_yaml = {}\n names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)]\n file_name = os.path.basename(rule_file)\n # if file_name in names:\n # print(f\"Custom settings found for rule: {rule_file}\")\n # try:\n # override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0]", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "generate_xls", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def generate_xls(baseline_name, build_path, baseline_yaml):\n \"\"\"Using the baseline yaml file, create an XLS document containing the YAML fields\n \"\"\"\n baseline_rules = create_rules(baseline_yaml)\n # File path setup\n file_dir = os.path.dirname(os.path.abspath(__file__))\n parent_dir = os.path.dirname(file_dir)\n # Output files\n xls_output_file = f\"{build_path}/{baseline_name}.xls\"\n wb = Workbook()", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "create_rules", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def create_rules(baseline_yaml):\n \"\"\"Takes a baseline yaml file and parses the rules, returns a list of containing rules\n \"\"\"\n all_rules = []\n #expected keys and references\n keys = ['mobileconfig',\n 'macOS',\n 'severity',\n 'title',\n 'check',", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "create_args", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def create_args():\n \"\"\"configure the arguments used in the script, returns the parsed arguements\n \"\"\"\n parser = argparse.ArgumentParser(\n description='Given a baseline, create guidance documents and files.')\n parser.add_argument(\"baseline\", default=None,\n help=\"Baseline YAML file used to create the guide.\", type=argparse.FileType('rt'))\n parser.add_argument(\"-c\", \"--clean\", default=None,\n help=argparse.SUPPRESS, action=\"store_true\")\n parser.add_argument(\"-d\", \"--debug\", default=None,", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "is_asciidoctor_installed", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def is_asciidoctor_installed():\n \"\"\"Checks to see if the ruby gem for asciidoctor is installed\n \"\"\"\n #cmd = \"gem list asciidoctor -i\"\n cmd = \"which asciidoctor\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n # return path to asciidoctor\n return output.decode(\"utf-8\").strip()\ndef is_asciidoctor_pdf_installed():", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "is_asciidoctor_pdf_installed", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def is_asciidoctor_pdf_installed():\n \"\"\"Checks to see if the ruby gem for asciidoctor-pdf is installed\n \"\"\"\n #cmd = \"gem list asciidoctor-pdf -i\"\n cmd = \"which asciidoctor-pdf\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n return output.decode(\"utf-8\").strip()\ndef verify_signing_hash(hash):\n \"\"\"Attempts to validate the existence of the certificate provided by the hash", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "verify_signing_hash", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def verify_signing_hash(hash):\n \"\"\"Attempts to validate the existence of the certificate provided by the hash\n \"\"\"\n with tempfile.NamedTemporaryFile(mode=\"w\") as in_file:\n unsigned_tmp_file_path=in_file.name\n in_file.write(\"temporary file for signing\")\n cmd = f\"security cms -S -Z {hash} -i {unsigned_tmp_file_path}\"\n FNULL = open(os.devnull, 'w')\n process = subprocess.Popen(cmd.split(), stdout=FNULL, stderr=FNULL)\n output, error = process.communicate()", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "sign_config_profile", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def sign_config_profile(in_file, out_file, hash):\n \"\"\"Signs the configuration profile using the identity associated with the provided hash\n \"\"\"\n cmd = f\"security cms -S -Z {hash} -i {in_file} -o {out_file}\"\n process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)\n output, error = process.communicate()\n print(f\"Signed Configuration profile written to {out_file}\")\n return output.decode(\"utf-8\")\ndef parse_custom_references(reference):\n string = \"\\n\"", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "parse_custom_references", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def parse_custom_references(reference):\n string = \"\\n\"\n for item in reference:\n if isinstance(reference[item], list):\n string += \"!\" + str(item) + \"\\n!\\n\"\n for i in reference[item]:\n string += \"* \" + str(i) + \"\\n\"\n else:\n string += \"!\" + str(item) + \"!* \" + str(reference[item]) + \"\\n\"\n return string", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "parse_cis_references", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def parse_cis_references(reference):\n string = \"\\n\"\n for item in reference:\n if isinstance(reference[item], list):\n string += \"!CIS \" + str(item).title() + \"\\n!\\n\"\n string += \"* \"\n for i in reference[item]:\n string += str(i) + \", \"\n string = string[:-2] + \"\\n\"\n else:", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "main", + "kind": 2, + "importPath": "docs.scripts.generate_guidance", + "description": "docs.scripts.generate_guidance", + "peekOfCode": "def main():\n args = create_args()\n if args.debug:\n logging.basicConfig(level=logging.DEBUG)\n else:\n logging.basicConfig(level=logging.WARNING)\n try:\n output_basename = os.path.basename(args.baseline.name)\n output_filename = os.path.splitext(output_basename)[0]\n baseline_name = os.path.splitext(output_basename)[0]#.capitalize()", + "detail": "docs.scripts.generate_guidance", + "documentation": {} + }, + { + "label": "sort_nicely", + "kind": 2, + "importPath": "docs.scripts.generate_mapping", + "description": "docs.scripts.generate_mapping", + "peekOfCode": "def sort_nicely( l ):\n# \"\"\" Sort the given list in the way that humans expect.\n# \"\"\"\n convert = lambda text: int(text) if text.isdigit() else text\n alphanum_key = lambda key: [ convert(c) for c in re.split('([0-9]+)', key) ]\n l.sort( key=alphanum_key )\ndef main():\n file_dir = os.path.dirname(os.path.abspath(__file__))\n os.chdir(file_dir) \n nist_header = \"\"", + "detail": "docs.scripts.generate_mapping", + "documentation": {} + }, + { + "label": "main", + "kind": 2, + "importPath": "docs.scripts.generate_mapping", + "description": "docs.scripts.generate_mapping", + "peekOfCode": "def main():\n file_dir = os.path.dirname(os.path.abspath(__file__))\n os.chdir(file_dir) \n nist_header = \"\"\n other_header = \"\"\n sub_directory = \"\"\n def dir_path(string):\n if os.path.isdir(string):\n return string\n else:", + "detail": "docs.scripts.generate_mapping", + "documentation": {} + }, + { + "label": "main", + "kind": 2, + "importPath": "docs.scripts.generate_oval", + "description": "docs.scripts.generate_oval", + "peekOfCode": "def main():\n now = datetime.now()\n date_time_string = now.strftime(\"%Y-%m-%dT%H:%M:%S\")\n output = \"\"\n parser = argparse.ArgumentParser(description='Given a profile, create oval checks.')\n parser.add_argument(\"baseline\", default=None, help=\"Baseline YAML file used to create the oval.\", type=argparse.FileType('rt'))\n results = parser.parse_args()\n try:\n output_basename = os.path.basename(results.baseline.name)\n output_filename = os.path.splitext(output_basename)[0]", + "detail": "docs.scripts.generate_oval", + "documentation": {} + } +] diff --git a/.vscode/c_cpp_properties.json b/.vscode/c_cpp_properties.json index 5cc28d1..5ff26c7 100644 --- a/.vscode/c_cpp_properties.json +++ b/.vscode/c_cpp_properties.json @@ -1,21 +1,21 @@ { - "configurations": [ - { - "name": "Mac", - "includePath": [ - "${workspaceFolder}/**", - "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/kern", - "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kernel.framework/Versions/A/Headers" - ], - "defines": [], - "macFrameworkPath": [ - "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks" - ], - "compilerPath": "/usr/bin/clang", - "cStandard": "c17", - "cppStandard": "c++17", - "intelliSenseMode": "macos-clang-x64" - } - ], - "version": 4 -} \ No newline at end of file + "configurations": [ + { + "name": "Mac", + "includePath": [ + "${workspaceFolder}/**", + "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/kern", + "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kernel.framework/Versions/A/Headers" + ], + "defines": [], + "macFrameworkPath": [ + "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks" + ], + "compilerPath": "/usr/bin/clang", + "cStandard": "c17", + "cppStandard": "c++17", + "intelliSenseMode": "macos-clang-x64" + } + ], + "version": 4 +} diff --git a/.zshrc b/.zshrc index 8de2adf..00f7055 100644 --- a/.zshrc +++ b/.zshrc @@ -149,4 +149,4 @@ compinit fpath+=~/.zfunc -eval "$(direnv hook zsh)" \ No newline at end of file +eval "$(direnv hook zsh)" diff --git a/better_anonymity b/better_anonymity index 2d1729e..67fa0b9 100644 --- a/better_anonymity +++ b/better_anonymity @@ -126,7 +126,7 @@ hello() { local text=${BASH_CLI_OPT_VALUE[1]} local enabled_uppercase=${BASH_CLI_OPT_VALUE[2]} local enabled_lowercase=${BASH_CLI_OPT_VALUE[3]} - + if [ ${enabled_uppercase} == true ]; then echo "${prefix} ${text}" | tr '[:lower:]' '[:upper:]' elif [ ${enabled_lowercase} == true ]; then @@ -138,4 +138,3 @@ hello() { } source ../base.sh - diff --git a/bin/clean b/bin/clean index 81d4c10..3822230 100644 --- a/bin/clean +++ b/bin/clean @@ -50,4 +50,4 @@ if [ -z "$1" ]; then echo "" else $METAMODULE $@ -fi \ No newline at end of file +fi diff --git a/bin/homebrew_tap b/bin/homebrew_tap index e2c01ed..b14bfe5 100644 --- a/bin/homebrew_tap +++ b/bin/homebrew_tap @@ -14,4 +14,4 @@ if [[ -x "$SCRIPT_PATH" ]]; then "$SCRIPT_PATH" else printf "WARNING: Homebrew Tap script does not exist or is not executable.\n" -fi \ No newline at end of file +fi diff --git a/blockips.conf b/blockips.conf index cc071dd..1dede4f 100644 --- a/blockips.conf +++ b/blockips.conf @@ -12,7 +12,7 @@ block drop log quick from to any table persist file "@PREFIX@/etc/@NAME@/compromised-ips.txt" block drop log quick from to any -# THIS RULESET HAS BEEN OBSOLETED!! +# THIS RULESET HAS BEEN OBSOLETED!! # http://rules.emergingthreats.net/blockrules/rbn-ips.txt #table persist file "@PREFIX@/etc/@NAME@/rbn-ips.txt" #block drop log quick from to any diff --git a/config/bin/apply_basic_settings b/config/bin/apply_basic_settings index c2932cf..acd1c7d 100755 --- a/config/bin/apply_basic_settings +++ b/config/bin/apply_basic_settings @@ -31,4 +31,3 @@ sudo scutil --set ComputerName $mac_os_label sudo scutil --set HostName $mac_os_name sudo scutil --set LocalHostName $mac_os_name sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName -string $mac_os_name - diff --git a/config/bin/apply_default_settings b/config/bin/apply_default_settings index c23c730..a03d15f 100755 --- a/config/bin/apply_default_settings +++ b/config/bin/apply_default_settings @@ -260,4 +260,4 @@ printf "%s\n" "See: https://security.stackexchange.com/a/47786/8918" defaults write com.apple.terminal SecureKeyboardEntry -bool true printf "%s\n" "Photos - Prevent Photos from opening automatically when devices are plugged in." -defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool true \ No newline at end of file +defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool true diff --git a/config/bin/homebrew_tap b/config/bin/homebrew_tap index 283b398..ad005f9 100644 --- a/config/bin/homebrew_tap +++ b/config/bin/homebrew_tap @@ -2,4 +2,4 @@ # Homebrew tap. -brew tap cmars/onionpipe \ No newline at end of file +brew tap cmars/onionpipe diff --git a/config/bin/install_applications b/config/bin/install_applications index c346227..77db7ea 100755 --- a/config/bin/install_applications +++ b/config/bin/install_applications @@ -4,4 +4,4 @@ install_dmg_app "$DOCKER_APP_URL" "$DOCKER_VOLUME_NAME" "$DOCKER_APP_NAME" install_dmg_pkg "$GPG_KEYCHAIN_APP_URL" "$GPG_KEYCHAIN_VOLUME_NAME" "$GPG_KEYCHAIN_APP_NAME" -install_zip_app "$POSTMAN_APP_URL" "$POSTMAN_APP_NAME" \ No newline at end of file +install_zip_app "$POSTMAN_APP_URL" "$POSTMAN_APP_NAME" diff --git a/config/bin/install_homebrew_casks b/config/bin/install_homebrew_casks index 2d19896..d783386 100755 --- a/config/bin/install_homebrew_casks +++ b/config/bin/install_homebrew_casks @@ -8,5 +8,3 @@ brew install --cask iterm2 brew install --cask librewolf brew install --cask rstudio brew install --cask visual-studio-code - - diff --git a/config/bin/restore_backup b/config/bin/restore_backup index 317c311..3ab06ab 100755 --- a/config/bin/restore_backup +++ b/config/bin/restore_backup @@ -34,4 +34,4 @@ rsync \ # Newsyslog sudo cp -p "$mac_os_backup_root/etc/newsyslog.d/patrick.roach.conf" "/etc/newsyslog.d" -sudo cp -p "$mac_os_backup_root/etc/newsyslog.d/homebrew.conf" "/etc/newsyslog.d" \ No newline at end of file +sudo cp -p "$mac_os_backup_root/etc/newsyslog.d/homebrew.conf" "/etc/newsyslog.d" diff --git a/docs/papers/README.md b/docs/papers/README.md index 2f64eb9..98ce8c9 100644 --- a/docs/papers/README.md +++ b/docs/papers/README.md @@ -1429,7 +1429,7 @@ You can use OTR on top of any existing [XMPP](https://xmpp.org/about) chat servi The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail). -A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). +A popular macOS GUI client for XMPP and other chat protocols is [Adium](https://adium.im/). Other XMPP clients include [profanity](http://www.profanity.im/) and [agl/xmpp-client](https://github.com/agl/xmpp-client). Another relatively new XMPP chat client is [CoyIM](https://coy.im/), it's focused and security and has built-in support for OTR and Tor. @@ -1499,7 +1499,7 @@ $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 ``` -Alternatively, you can also disable Gatekeeper using the following command: +Alternatively, you can also disable Gatekeeper using the following command: ```sudo spctl --master-disable``` diff --git a/docs/papers/guide.md b/docs/papers/guide.md index fcf0106..4c0a7f4 100644 --- a/docs/papers/guide.md +++ b/docs/papers/guide.md @@ -8,7 +8,7 @@ Version 1.1.6-pre1, August 2022 by Anonymous Planet #### **IMPORTANT RECOMMENDATION FOR UKRAINIANS. ВАЖЛИВА РЕКОМЕНДАЦІЯ ДЛЯ УКРАЇНЦІВ** -Це послання до народу України. Ми настійно рекомендуємо вам використовувати Briar для спілкування. Ви можете знайти його тут: , Швидкий початок: @@ -385,7 +385,7 @@ Finally note that this guide does mention and even recommends various commercial - [Appendix B3: Threat modeling resources] - [Appendix B4: Important notes about evil-maid and tampering] - [Appendix B5: Types of CPU attacks:] -- [Appendix B6: Warning for using Orbot on Android] +- [Appendix B6: Warning for using Orbot on Android] - [Appendix B7: Caution about Session messenger] - [References:] @@ -629,7 +629,7 @@ Finally, even if you use a custom encrypted DNS server (DoH or DoT) with ECH/eSN One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS[^53]) to further increase privacy/anonymity but **unfortunately**, as far as we know, these methods are only provided by Cloudflare as of this writing ( [[Archive.org]](https://web.archive.org/web/https://blog.cloudflare.com/welcome-hidden-resolver/), [[Archive.org]](https://web.archive.org/web/https://blog.cloudflare.com/oblivious-dns/)). These are workable and reasonably secure technical options but there is also a moral choice if you want to use Cloudflare or not (despite the risk posed by some researchers[^54]). -**Note that Oblivious DNS addresses an adversary that eavesdrops on one of the connections listed here but not all. It does not address a global passive adversary (GPA) who can eavesdrop on many or all of these connections**: +**Note that Oblivious DNS addresses an adversary that eavesdrops on one of the connections listed here but not all. It does not address a global passive adversary (GPA) who can eavesdrop on many or all of these connections**: - traffic between the client resolver and the recursive resolver - the recursive resolver and the ODNS resolver - the ODNS resolver and an authoritative server. @@ -1035,7 +1035,7 @@ Here are some other resources on the topic if you cannot see this documentary: - 2016, A Survey on User Behavior Analysis in Social Networks [[Archive.org]](https://web.archive.org/web/https://www.academia.edu/30936118/A_Survey_on_User_Behaviour_Analysis_in_Social_Networks) -- 2017, DEF CON 25 presentation: [DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data](https://www.youtube.com/watch?v=1nvYGi7-Lxo) [[Invidious]](https://yewtu.be/watch?v=1nvYGi7-Lxo) +- 2017, DEF CON 25 presentation: [DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data](https://www.youtube.com/watch?v=1nvYGi7-Lxo) [[Invidious]](https://yewtu.be/watch?v=1nvYGi7-Lxo) - 2019, Influence and Behavior Analysis in Social Networks and Social Media [[Archive.org]](https://web.archive.org/web/https://web.archive.org/web/https://sci-hub.se/10.1007/978-3-030-02592-2) @@ -1421,9 +1421,9 @@ There was an attack published that can deanonymize users if they have a known al The attack, published at [[Archive.org]](https://web.archive.org/web/20220720023429/https://leakuidatorplusteam.github.io/), can be mitigated using the well-known [NoScript](https://noscript.net/) extension and will be our preferred recommendation. -One loosely documented attack might take the following approach to fingerprinting: Alice is browsing the web using Firefox. The website she has just visited is using an invisible `iframe` that creates long strings, e.g., sentences or hashes, to produce some non-user-viewable string. These strings are setting a certain font type, Arial. Whether the browser renders this is non-essential, it only matters if the font changes. The `iframe` in this case serves no purpose but to identify whether a user has installed a certain font on their machine. If Alice is using a font that this frame has tried to render, then it is reported back to the website and to the person in control of the website. +One loosely documented attack might take the following approach to fingerprinting: Alice is browsing the web using Firefox. The website she has just visited is using an invisible `iframe` that creates long strings, e.g., sentences or hashes, to produce some non-user-viewable string. These strings are setting a certain font type, Arial. Whether the browser renders this is non-essential, it only matters if the font changes. The `iframe` in this case serves no purpose but to identify whether a user has installed a certain font on their machine. If Alice is using a font that this frame has tried to render, then it is reported back to the website and to the person in control of the website. -The font renders a box with a specific height and width around itself, so that means a specific height and width of the text contained within. The `iframe` keeps doing this for each installed font to create a list of installed fonts for Alice. Because of stylistic differences between each font family, the same string and the same font size will add up to a different height and a different width than Arial. It is used as a fallback font to display text that won't display otherwise, in the case of a user not having that font on their machine and thus non-viewable from their browser. +The font renders a box with a specific height and width around itself, so that means a specific height and width of the text contained within. The `iframe` keeps doing this for each installed font to create a list of installed fonts for Alice. Because of stylistic differences between each font family, the same string and the same font size will add up to a different height and a different width than Arial. It is used as a fallback font to display text that won't display otherwise, in the case of a user not having that font on their machine and thus non-viewable from their browser. If a font requested by an `iframe` is not available, Arial will be used to show that text to the user. Every time the font measurement (identified by the dimensions of the box produced) changed, it means the font is present on Alice's browser and her machine. By doing this for hundreds of fonts, websites can use this information to track users using their installed fonts across websites. Imagine a website then selling this “anonymized” information as a dataset to advertisement companies to serve you ads based on the websites you visit, because they know every font you have installed on your machine and can now track your identity across the internet. This attack is demonstrated here: [Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)](https://www.youtube.com/watch?v=5Y1Y96jC5AA) by Dr. Nick Nikiforakis, PhD in Computer Science from KU Leuven. He explains how his team of researchers identified which sites were using such techniques on Alexa's top 10,000 websites. Primarily, they found that of those, 145 were fingerprinting browsers. They were fingerprinted 100% of the time — whether they were using the Do Not Track header, a popular Privacy & Security setting in many browsers, did not matter. @@ -1435,7 +1435,7 @@ Attacks such as invisible iframes and media elements can be avoided by blocking ## All others: -Installing the [NoScript](https://noscript.net/) extension will prevent the attack **by default only in private Windows** using their new "TabGuard feature". But can be enabled in the NoScript options to work on all Windows. See: +Installing the [NoScript](https://noscript.net/) extension will prevent the attack **by default only in private Windows** using their new "TabGuard feature". But can be enabled in the NoScript options to work on all Windows. See: - Release tweet: [[Archive.org]](https://web.archive.org/web/https://twitter.com/ma1/status/1557751019945299969) - User explanation: [[Archive.org]](https://web.archive.org/web/https://noscript.net/usage/#crosstab-identity-leak-protection) @@ -1448,7 +1448,7 @@ Installing the [NoScript](https://noscript.net/) extension will prevent the atta The researches who disclosed the issue also made an extension available below. Again, **nothing is required in Tor Browser**. This path is not our preferred path but is still available if you do not want to use NoScript. - Leakuidator+ extension for Chromium based browsers (Brave, Chrome, Edge, and other Chromium-based browsers): -- Leakuidator+ extension for Firefox (Firefox, and other Firefox-based browsers except Tor Browser): +- Leakuidator+ extension for Firefox (Firefox, and other Firefox-based browsers except Tor Browser): Separating identities via separate browsers or even with VMs is not enough to avoid this attack. However, another solution is to make sure that when you start working with an anonymous identity, you entirely close all activities linked to other identities. The vulnerability only works if you're actively logged into a non-anonymous identity. The issue with this is that it can hinder effective workflow, as multitasking across multiple identities becomes impossible. @@ -2091,7 +2091,7 @@ Please see [Appendix Y: Installing and using desktop Tor Browser]. - After launching, click the upper right **Settings** icon -- Select **Settings** > **Privacy and security** > **Tor network** +- Select **Settings** > **Privacy and security** > **Tor network** - Select **Config Bridge**. @@ -4810,7 +4810,7 @@ The reason for this RAM requirement is that each app will run in a different VM You should also check their hardware compatibility here [[Archive.org]](https://web.archive.org/web/https://www.qubes-os.org/hcl/) before proceeding. Your mileage might vary, and you might experience several issues about hardware compatibility that you will have to troubleshoot and solve yourself. -I think that if you can afford it and are comfortable with the idea of using Linux, you should go with this route as it is probably the best one in terms of security and privacy. The only disadvantage of this route is that it does not provide a way to enable OS-wide [plausible deniability](https://en.wikipedia.org/wiki/Plausible_deniability) [[Wikiless]](https://wikiless.org/wiki/Plausible_deniability), unlike the Whonix route. +I think that if you can afford it and are comfortable with the idea of using Linux, you should go with this route as it is probably the best one in terms of security and privacy. The only disadvantage of this route is that it does not provide a way to enable OS-wide [plausible deniability](https://en.wikipedia.org/wiki/Plausible_deniability) [[Wikiless]](https://wikiless.org/wiki/Plausible_deniability), unlike the Whonix route. ### Pick your connectivity method: @@ -5097,7 +5097,7 @@ Remember this should be done from a safe place (see [Find some safe places with ### Upgrading Qubes OS from 4.0.x to 4.1.x (you should do it) -Personally, we wouldn't do it in-place and do a fresh install. +Personally, we wouldn't do it in-place and do a fresh install. But if you really want to, it's technically possible by following this guide: [[Archive.org]](https://web.archive.org/web/https://www.qubes-os.org/doc/upgrade/4.1/) @@ -5258,7 +5258,7 @@ When you are done downloading the configuration files within the Disposable Brow - Save and exit each file -- Edit the OpenVPN config file (/etc/default/openvpn) by typing ```sudo nano /etc/default/openvpn``` +- Edit the OpenVPN config file (/etc/default/openvpn) by typing ```sudo nano /etc/default/openvpn``` - Change ```#AUTOSTART="all"``` to ```AUTOSTART="all"``` (in other words, remove the "#") @@ -5559,9 +5559,9 @@ See their tutorial here: (Probably the best overall) - @@ -7818,13 +7818,13 @@ The ones that are preferred are recommended due to their stance on privacy, thei You can also consult the following external resources for more comparisons (**we do not necessarily endorse their opinions**): -- SecuChart, [[Archive.org]](https://web.archive.org/web/https://bkil.gitlab.io/secuchart/) [[Repository]](https://github.com/bkil/secuchart) (Maintained open-source project) -- Wikipedia, [[Wikiless]](https://wikiless.org/wiki/Comparison_of_cross-platform_instant_messaging_clients) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients) +- SecuChart, [[Archive.org]](https://web.archive.org/web/https://bkil.gitlab.io/secuchart/) [[Repository]](https://github.com/bkil/secuchart) (Maintained open-source project) +- Wikipedia, [[Wikiless]](https://wikiless.org/wiki/Comparison_of_cross-platform_instant_messaging_clients) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients) - Wikipedia, [[Wikiless]](https://wikiless.org/wiki/Comparison_of_instant_messaging_protocols) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_protocols) - Whonix Documentation, Instant Messenger Chat [[Archive.org]](https://web.archive.org/web/https://www.whonix.org/wiki/Chat) (Outdated, Unmaintained but contains insightful information) - + - **Outdated, or unmaintained, or abandoned resources scheduled for removal from our guide in next release:** - + - Secure Messaging Apps [[Archive.org]](https://web.archive.org/web/https://www.securemessagingapps.com/) - Proton Blog, [[Archive.org]](https://web.archive.org/web/2022053117143/https://proton.me/blog/whatsapp-alternatives) - SecureChart.org, [[Archive.org]](https://web.archive.org/web/https://securechatguide.org/featuresmatrix.html) @@ -9344,7 +9344,7 @@ Most likely if someone went through your document to read it and re-placed it ca Wait, what is OPSEC? Well, OPSEC means Operations Security[^456]. The basic definition is: "OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture." -The important step here, and probably the easiest one, is a lesson you can take from the movie Fight Club: the first rule is that you **do not** talk about Fight Club. This applies to many aspects of your online operational security or OPSEC. Taking your time to go through this guide will reward you with the tools and knowledge to embrace a fuller, more secure experience on the internet. Rest assured that this guide will reveal things to you that will frustrate your enemy. You will learn how to protect your operating systems and lockdown your critical information and ensure mission success. But the one thing you must adhere to is this rule of thumb - do not talk about operation details. The biggest adversarial threat to you is OSINT (discussed below and throughout the document). The enemy will gather information on you based on what they observe about you and your activities online and in real life. +The important step here, and probably the easiest one, is a lesson you can take from the movie Fight Club: the first rule is that you **do not** talk about Fight Club. This applies to many aspects of your online operational security or OPSEC. Taking your time to go through this guide will reward you with the tools and knowledge to embrace a fuller, more secure experience on the internet. Rest assured that this guide will reveal things to you that will frustrate your enemy. You will learn how to protect your operating systems and lockdown your critical information and ensure mission success. But the one thing you must adhere to is this rule of thumb - do not talk about operation details. The biggest adversarial threat to you is OSINT (discussed below and throughout the document). The enemy will gather information on you based on what they observe about you and your activities online and in real life. Adversaries take many forms. To some, they are actors of a foreign government, while to others they may be simply a rival company's employee looking to find disgruntled workers to target for further pressuring. To most, the general task of OPSEC is that this is your ship - you must not do anything or say anything to sink your own ship. Simply expressing your frustration with your boss or your work conditions or your equipment, might be enough to generate not only a behavior profile but also a vector of attack. A disgruntled employee, in this example, is what generally provides enough information to warrant pressuring of that employee for further information and possibly even extortion, blackmail, or worse. Failure to implement basic OPSEC can lead to failure at various points. It can lead to serious injury or even death if your threat model is a determined attacker, foreign actor, and so on. @@ -9361,7 +9361,7 @@ You must live by the simple rule that "loose lips sink ships" - but also that th - Do not ever use biometrics alone to safeguard your secrets. Biometrics can be used without your consent. - Do check the signatures and hashes of software and documents you download before installing/viewing them. - + - Do not have the same behavior such as visiting the same links on the clearnet then visit the same with the your anoynous online identity. Watch this DEF CON 25 presentation if you didn't before: [DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data](https://www.youtube.com/watch?v=1nvYGi7-Lxo) [[Invidious]](https://yewtu.be/watch?v=1nvYGi7-Lxo). - Encrypt everything but do not take it for granted. Remember the 5$ wrench. @@ -9412,7 +9412,7 @@ You must live by the simple rule that "loose lips sink ships" - but also that th - 2015, DEF CON 22, Adrian Crenshaw, Dropping Docs on Darknets: How People Got Caught [[Invidious]](https://yewtu.be/watch?v=eQ2OZKitRwc) ([Slides](https://www.defcon.org/images/defcon-22/dc-22-presentations/Crenshaw/DEFCON-22-Adrian-Crenshaw-Dropping-Docs-on-Darknets-How-People-Got-Caught-UPDATED.pdf) [[Archive.org]](https://web.archive.org/web/https://www.defcon.org/images/defcon-22/dc-22-presentations/Crenshaw/DEFCON-22-Adrian-Crenshaw-Dropping-Docs-on-Darknets-How-People-Got-Caught-UPDATED.pdf)) - 2017, Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev [[Invidious]](https://yewtu.be/watch?v=6Chp12sEnWk) - + - 2017, [DEF CON 25 - Svea Eckert, Andreas Dewes - Dark Data](https://www.youtube.com/watch?v=1nvYGi7-Lxo) [[Invidious]](https://yewtu.be/watch?v=1nvYGi7-Lxo) - 2015, DEF CON 22, Zoz, Don't Fuck It Up! [[Invidious]](https://yewtu.be/watch?v=J1q4Ir2J8P8) @@ -10360,7 +10360,7 @@ This is very lightweight, and we recommend doing it from a VM (VM inside a VM) t 44. **Remove the default config file** by running ```rm /etc/apache2/sites-enabled/000-default.conf```. 45. **Edit the apache2 config file** provided by mat2-web by running ```nano /etc/apache2/sites-enabled/apache2.conf```. 46. **Remove the first line** ```Listen 80``` by typing **Ctrl+K** to cut the line. -47. **Change the uwsgi path** from ```/var/www/mat2-web/mat2-web.sock``` to ```/run/uwsgi/uwsgi.sock``` and type **Ctrl+X** to exit, followed by **Y** then **Enter**. +47. **Change the uwsgi path** from ```/var/www/mat2-web/mat2-web.sock``` to ```/run/uwsgi/uwsgi.sock``` and type **Ctrl+X** to exit, followed by **Y** then **Enter**. 48. **Copy the uwsgi config file** to **/etc** by running ```cp uwsgi.config /etc/uwsgi/apps-enabled/uwsgi.ini```. 49. **Edit the uwsgi config file** by typing ```nano /etc/uwsgi/apps-enabled/uwsgi.ini``` and change **uid** and **guid** to ```nobody``` and ```nogroup``` respectively. Save and exit with **Ctrl+X**, followed by **Y**, then **Enter**. 50. Run ```chown -R 777 /var/www/mat2-web``` to change ownership to **mat2-web**. @@ -10386,7 +10386,7 @@ After updates, shutdown, change to the **Host-only Adapter**, take a new snapsho You are done. -Now you can just start this small Mat2 VM when needed. Browse to it from your Guest VM and use the interface to remove any metadata from most files. After each use of this VM, you should revert to the Snapshot to erase all traces. +Now you can just start this small Mat2 VM when needed. Browse to it from your Guest VM and use the interface to remove any metadata from most files. After each use of this VM, you should revert to the Snapshot to erase all traces. **Do not ever expose this VM to any network unless temporarily for updates. This web interface is not suitable for any direct external access.** @@ -10447,7 +10447,7 @@ There are, two viable options: ## Cash/Monero-Paid VPN: There are three VPN companies recommended by PrivacyGuides.org ( [[Archive.org]](https://web.archive.org/web/https://www.privacyguides.org/vpn/)) that accept cash payments: Mullvad, iVPN, and Proton VPN. - + Here are their logging policies: - Mullvad: [[Archive.org]](https://web.archive.org/web/https://mullvad.net/en/help/no-logging-data-policy/) @@ -11039,7 +11039,7 @@ If you are to resort to this, you should never do so from a monitored/known netw **Refer to the Tails route to achieve this. See [The Tails route][The Tor Browser route:] and [Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option] sections.** # Appendix V: What browser to use in your Guest VM/Disposable VM - + **Temporary Important Warning: Please see [Microarchitectural Side-channel Deanonymization Attacks:] for all browsers except Tor Browser.** There are 6 possibilities of browser to use on your guest/disposable VM: @@ -11757,12 +11757,12 @@ Here's some host information that can be leaked through the Virtual Machine: - Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs; -- Virtual Windows registry keys like `ProductID` might show the Host Machine's environment: +- Virtual Windows registry keys like `ProductID` might show the Host Machine's environment: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345` - HDD, GPU, and mouse drivers can be exposed through: `HKEY_LOCAL_MACHINE\System\CurrentControlSet\` -- Registry entries will show that this is a virtual mouse: `%WINDIR%\system32\drivers\vmmouse.sys` +- Registry entries will show that this is a virtual mouse: `%WINDIR%\system32\drivers\vmmouse.sys` - Descriptor Table Registers: @@ -11866,7 +11866,7 @@ This is valid for Windows, Linux, and macOS. ![][690] We would recommend the "Safest" level by default. The "Safer" level should be enabled if you think you need access to a website not working without JavaScript. The Safest mode will most likely break many websites that rely actively on JavaScript. - + If you are extra paranoid, use the "Safest" level by default and consider downgrading to Safer is the website is unusable because of Javascript blocking. **Optional and not recommended by the Tor Project**: If you are not using the "Safest" level, we will diverge from some but agree with others (for instance the Tails project and others[^525]) and will actually recommend some modifications of the default Tor Browser in the addition of two extensions: @@ -11897,7 +11897,7 @@ But what if the service you want does not accept Monero but does accept a more m - **Stay away from Crypto Mixer, Tumblers and Coinjoiners.** You might think this is a good idea but not only are they useless with cryptocurrencies such as BTC/ETH/LTC, but they are also dangerous as you might end up trading your currency for dirty currency from illicit activities. Use Monero to anonymize your crypto. Use a normal KYC-enabled Exchange to buy/sell your Monero (such as Kraken) or (at your own risk), use a service like LocalMonero. -- **See [Warning about special tumbling, mixing, coinjoining privacy wallets and services].** +- **See [Warning about special tumbling, mixing, coinjoining privacy wallets and services].** ## Reasonably anonymous option: @@ -11919,7 +11919,7 @@ Despite this, it is possible to safely anonymize Bitcoin through the use of cryp 5. From an anonymized browser (such as Tor Browser), use a non-KYC (Know Your Customer) service swapping service (see [Appendix A8: Crypto Swapping Services without Registration and KYC]) and convert your Monero to BTC and transfer those to the BTC Wallet you have on your anonymized VM -6. You should now have an anonymized Bitcoin wallet that can be used for purchasing services that do not accept Monero. +6. You should now have an anonymized Bitcoin wallet that can be used for purchasing services that do not accept Monero. **You should never access this wallet from a non-anonymized environment. Always use well-thought OPSEC with your BTC transactions. Remember those can be traced back to you.** @@ -11980,9 +11980,9 @@ Mixing BTC in this way should prevent any chain analysis on future transactions. - [Mixing detection on Bitcoin transactions using statistical patterns.](https://arxiv.org/pdf/2204.02019.pdf) [Archive.org](https://web.archive.org/web/https://arxiv.org/pdf/2204.02019.pdf) - [An Analysis Of Bitcoin Laundry Services](https://www.researchgate.net/profile/Julio-Hernandez-Castro/publication/319944399_An_Analysis_of_Bitcoin_Laundry_Services/links/5a045d410f7e9beb177883af/An-Analysis-of-Bitcoin-Laundry-Services.pdf?origin=publication_detail) [Archive.org](https://web.archive.org/web/https://www.researchgate.net/profile/Julio-Hernandez-Castro/publication/319944399_An_Analysis_of_Bitcoin_Laundry_Services/links/5a045d410f7e9beb177883af/An-Analysis-of-Bitcoin-Laundry-Services.pdf?origin=publication_detail) - [Mixing Strategies in Cryptocurrencies and An Alternative Implementation](https://www.researchgate.net/publication/344485520_Mixing_Strategies_in_Cryptocurrencies_and_An_Alternative_Implementation) [Archive.org](https://web.archive.org/web/https://www.researchgate.net/publication/344485520_Mixing_Strategies_in_Cryptocurrencies_and_An_Alternative_Implementation) - + Instead we recommend to use Monero (preferred) and additionaly Zcash to achieve anonymity. - + ## When converting from BTC to Monero: **Now, as part of any process above, if you want to convert BTC back to Monero**, we recommend not using a swapping service but instead recommend using the new Monero Atomic Swap Tool: . This will prevent unnecessary fees and intermediates when using a commercial swapping service. The website is self-explanatory with detailed instructions for all OSes. @@ -12202,7 +12202,7 @@ You might also consider the use of something like AnonyMouth [[Archive.org]](https://web.archive.org/web/https://seirdy.one/posts/2022/07/09/stylometric-fingerprinting-redux/): Stylometric fingerprinting redux - + - [[Archive.org]](https://web.archive.org/web/https://www.whonix.org/wiki/Surfing_Posting_Blogging#Stylometry): Whonix documentation about stylometry. - [[Wikiless]](https://wikiless.org/wiki/Forensic_linguistics) [[Archive.org]](https://web.archive.org/web/https://wikipedia.org/wiki/Forensic_linguistics): Gives a brief rundown of the basics of forensic linguistics, not too informative. @@ -12266,8 +12266,8 @@ These recommendations are similar to the ones at the beginning of the guide and Find it online at: - Original: - -- Tor Onion Mirror: + +- Tor Onion Mirror: - Archive.org: @@ -12432,7 +12432,7 @@ We recommend the LINDDUN threat modeling method [ - It is focused on privacy but is clearly perfectly suitable for anonymity. - It is accessible to all skill levels including beginners (providing many tutorials) but also suitable for highly skilled readers. - It is used in the making of the Threat Modeling Manifesto: [[Archive.org]](https://web.archive.org/web/https://www.threatmodelingmanifesto.org/) - + LINDDUN threat modeling tutorials and resources: - **We recommend the following quick tutorial video from "The Hated One" YouTube channel with the approval and review from LINDDDUN designers: ** [[Invidious]](https://yewtu.be/watch?v=6AXkJ3dot2s>) to get started. - More resources for deeper understanding and usage: @@ -12446,7 +12446,7 @@ LINDDUN threat modeling tutorials and resources: (Illustration from [LINDDUN2015](https://lirias.kuleuven.be/retrieve/295669)) Here are alternative resources and methodologies if LINDDUN doesn't suit you: - + - Online Operations Security: [https://github.com/devbret/online-OPSEC](https://web.archive.org/web/20210711215728/https://github.com/devbret/online-OPSEC) - Microsoft's STRIDE: [[Wikiless]](https://wikiless.org/wiki/STRIDE_%28security%29) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/STRIDE_%28security%29) - PASTA: [[Archive.org]](https://web.archive.org/web/https://versprite.com/tag/pasta-threat-modeling/) @@ -12455,7 +12455,7 @@ Here are alternative resources and methodologies if LINDDUN doesn't suit you: # Appendix B4: Important notes about evil-maid and tampering -Your context needs to be taken into account. +Your context needs to be taken into account. Preventing an evil-maid attack attack or tampering might lead to bad consequences. Your adversary might then resort to other means to obtain the key. @@ -12480,7 +12480,7 @@ Model-specific registers (MSRs) and their configuration bits can also be detecte - [SQUIP](https://www.nextplatform.com/2022/08/11/squip-side-channel-attack-rattles-amds-zen-cores/) [[Archive.org]](https://web.archive.org/web/20220812082548/https://www.nextplatform.com/2022/08/11/squip-side-channel-attack-rattles-amds-zen-cores/) - Scheduler Queue Usage via Interface Probing. All of AMD's Zen CPUs are vulnerable to a medium-severity flaw which can allow threat actors to run side-channel attacks. - [Hertzbleed](https://www.schneier.com/blog/archives/2022/06/hertzbleed-a-new-side-channel-attack.html) [[Archive.org]](https://web.archive.org/web/20220712000058/https://www.schneier.com/blog/archives/2022/06/hertzbleed-a-new-side-channel-attack.html) - Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard. This new attack measures power consumption by measuring time, making it easier to exploit. - [Retbleed](https://www.bleepingcomputer.com/news/security/new-retbleed-speculative-execution-cpu-attack-bypasses-retpoline-fixes/) [[Archive.org]](https://web.archive.org/web/20220804151557/https://www.bleepingcomputer.com/news/security/new-retbleed-speculative-execution-cpu-attack-bypasses-retpoline-fixes/) - Retbleed focuses on return instructions, which are part of the retpoline software mitigation against the speculative execution class of attacks that became known starting early 2018, with Spectre. - + # Appendix B6: Warning for using Orbot on Android While this is often misunderstood, Orbot on Android does not make your "Tor-Enabled Apps" go through Tor if you add them to the list. Orbot is acting as a device-wide VPN or (also known as a transparent proxy). The list of apps using Orbot is a whitelist. This list will not make some apps magically use Tor and unchecked ones use the clear-net. This only ensures the device-wide VPN is using Tor to route traffic. This means that Orbot can only control what app can access the VPN it creates. Other apps will lose connectivity. @@ -12497,7 +12497,7 @@ And from [a post](https://tor.stackexchange.com/questions/427/is-running-tor-ove "The danger (beyond the performance hit) which keeps me from running Tor over Tor has to do with timing and congestion measurements. Adversaries watching your traffic at the exit(s) of your circuits have a better chance of linking your Whonix activity with your [Tor Browser Bundle] activity when those shared circuits slow down or drop packets at the same time. This can happen without Tor over Tor when your instances use a common upstream link. The linkage will be made tighter and more explicit if you run the Whonix Tor traffic through your TBB SOCKS5 Tor circuits. This tighter linkage raises the danger of successful correlation." -# Appendix B7: Caution about Session Messenger +# Appendix B7: Caution about Session Messenger Here are our reasons for being cautious about Session messenger in general: @@ -13080,7 +13080,7 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab [^282]: Internet Archive, Invisibler, What Everybody Ought to Know About HideMyAss [^283]: Wikipedia, Warrant Canary [[Wikiless]](https://wikiless.org/wiki/Warrant_canary) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Warrant_canary) - + [^284]: Washington Post, The intelligence coup of the century [[Archive.org]](https://web.archive.org/web/https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/) [^285]: Swissinfo.ch, Second Swiss firm allegedly sold encrypted spying devices [[Archive.org]](https://web.archive.org/web/https://www.swissinfo.ch/eng/second-swiss-firm-allegedly-sold-encrypted-spying-devices/46186432) @@ -13580,15 +13580,15 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab [^534]: Wikipedia, Passphrase [[Wikiless]](https://wikiless.org/wiki/Passphrase#Passphrase_selection) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Passphrase#Passphrase_selection) [^535]: Monero Research Lab, Evaluating cryptocurrency security and privacy in a post-quantum world [[Archive.org]](https://web.archive.org/web/https://github.com/insight-decentralized-consensus-lab/post-quantum-monero/blob/master/writeups/technical_note.pdf) - + [^536]: Wikipedia, Privacy in Australian Law [[Wikiless]](https://wikiless.org/wiki/Privacy_in_Australian_law) [[Archive.org]](https://web.archive.org/web/https://en.wikipedia.org/wiki/Privacy_in_Australian_law) [^537]: Parliament of Autralia, Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, [[Archive.org]](https://web.archive.org/web[/https://en.wikipedia.org/wiki/Privacy_in_Australian_law](https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6623)) - + [^538]: Lokinet Documentation, Service Nodes, [[Archive.org]](https://web.archive.org/https://loki.network/service-nodes/) [^539]: Session Documentation, Session protocol explained, [[Archive.org]](https://web.archive.org/[https://loki.network/service-nodes/](https://getsession.org/session-protocol-explained)) - + [Contents:]: #contents [Pre-requisites and limitations:]: #pre-requisites-and-limitations [Pre-requisites:]: #pre-requisites @@ -13888,8 +13888,8 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab [Appendix B2: Monero Disclaimer]: #appendix-b2-monero-disclaimer [Appendix B3: Threat modeling resources]: #appendix-b3-threat-modeling-resources [Appendix B4: Important notes about evil-maid and tampering]: #appendix-b4-important-notes-about-evil-maid-and-tampering - [Appendix B5: Types of CPU attacks:]: #appendix-b5-types-of-cpu-attacks - [Appendix B6: Warning for using Orbot on Android]: #appendix-b6-warning-for-using-orbot-on-android + [Appendix B5: Types of CPU attacks:]: #appendix-b5-types-of-cpu-attacks + [Appendix B6: Warning for using Orbot on Android]: #appendix-b6-warning-for-using-orbot-on-android [Appendix B7: Caution about Session Messenger]: #appendix-b7-caution-about-session-messenger [References:]: #references [Tor over VPN]: #tor-over-vpn diff --git a/docs/rules/audit/audit_acls_files_configure.yaml b/docs/rules/audit/audit_acls_files_configure.yaml index bcee2de..98171f8 100644 --- a/docs/rules/audit/audit_acls_files_configure.yaml +++ b/docs/rules/audit/audit_acls_files_configure.yaml @@ -2,11 +2,11 @@ id: audit_acls_files_configure title: "Configure Audit Log Files to Not Contain Access Control Lists" discussion: | The audit log files _MUST_ not contain access control lists (ACLs). - + This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files. check: | /bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" -result: +result: integer: 0 fix: | [source,bash] @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/audit/audit_acls_folders_configure.yaml b/docs/rules/audit/audit_acls_folders_configure.yaml index 817470d..219eec4 100644 --- a/docs/rules/audit/audit_acls_folders_configure.yaml +++ b/docs/rules/audit/audit_acls_folders_configure.yaml @@ -36,13 +36,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -50,4 +50,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_auditd_enabled.yaml b/docs/rules/audit/audit_auditd_enabled.yaml index bdcc245..5eb4c09 100644 --- a/docs/rules/audit/audit_auditd_enabled.yaml +++ b/docs/rules/audit/audit_auditd_enabled.yaml @@ -1,10 +1,10 @@ id: audit_auditd_enabled title: "Enable Security Auditing" discussion: | - The information system _MUST_ be configured to generate audit records. - + The information system _MUST_ be configured to generate audit records. + Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. - + The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system start-up. @@ -22,7 +22,7 @@ fix: | references: cce: - CCE-90854-1 - cci: + cci: - CCI-000130 - CCI-000131 - CCI-000132 @@ -45,8 +45,8 @@ references: - AU-12(3) - AU-14(1) - MA-4(1) - - CM-5(1) - 800-53r4: + - CM-5(1) + 800-53r4: - AU-3 - AU-3(1) - AU-8 @@ -83,13 +83,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -97,4 +97,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_configure_capacity_notify.yaml b/docs/rules/audit/audit_configure_capacity_notify.yaml index b888593..d94726f 100644 --- a/docs/rules/audit/audit_configure_capacity_notify.yaml +++ b/docs/rules/audit/audit_configure_capacity_notify.yaml @@ -1,7 +1,7 @@ id: audit_configure_capacity_notify title: "Configure Audit Capacity Warning" discussion: | - The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. + The audit service _MUST_ be configured to notify the system administrator when the amount of free disk space remaining reaches an organization defined value. This rule ensures that the system administrator is notified in advance that action is required to free up more disk space for audit logs. check: | @@ -11,7 +11,7 @@ result: fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s + /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/sbin/audit -s ---- references: cce: @@ -20,7 +20,7 @@ references: - CCI-001855 800-53r5: - AU-5(1) - 800-53r4: + 800-53r4: - AU-5(1) srg: - SRG-OS-000343-GPOS-00134 @@ -29,9 +29,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_high + - 800-53r5_high - 800-53r4_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_control_acls_configure.yaml b/docs/rules/audit/audit_control_acls_configure.yaml index 6890bd4..45d1e79 100644 --- a/docs/rules/audit/audit_control_acls_configure.yaml +++ b/docs/rules/audit/audit_control_acls_configure.yaml @@ -4,7 +4,7 @@ discussion: | /etc/security/audit_control _MUST_ not contain Access Control Lists (ACLs). check: | /bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":" -result: +result: integer: 0 fix: | [source,bash] @@ -38,4 +38,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_control_group_configure.yaml b/docs/rules/audit/audit_control_group_configure.yaml index b0dab4c..3006b28 100644 --- a/docs/rules/audit/audit_control_group_configure.yaml +++ b/docs/rules/audit/audit_control_group_configure.yaml @@ -38,4 +38,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_control_mode_configure.yaml b/docs/rules/audit/audit_control_mode_configure.yaml index a3b32ab..9599a8f 100644 --- a/docs/rules/audit/audit_control_mode_configure.yaml +++ b/docs/rules/audit/audit_control_mode_configure.yaml @@ -38,4 +38,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_control_owner_configure.yaml b/docs/rules/audit/audit_control_owner_configure.yaml index 7fd10d5..85f82ef 100644 --- a/docs/rules/audit/audit_control_owner_configure.yaml +++ b/docs/rules/audit/audit_control_owner_configure.yaml @@ -38,4 +38,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_enforce_dual_auth.yaml b/docs/rules/audit/audit_enforce_dual_auth.yaml index c5a2f20..36f0785 100644 --- a/docs/rules/audit/audit_enforce_dual_auth.yaml +++ b/docs/rules/audit/audit_enforce_dual_auth.yaml @@ -2,10 +2,10 @@ id: audit_enforce_dual_auth title: "Enforce Dual Authorization for Movement and Deletion of Audit Information" discussion: | All bulk manipulation of audit information should be authorized via automatic processes, and any manual manipulation of audit information should require dual authorization. In addition, dual authorization mechanisms should require the approval of two authorized individuals before being executed. - + An authorized user may intentionally or accidentally move or delete audit records without those specific actions being authorized, which would result in the loss of information that could, in the future, be critical for forensic investigation. - - To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enforce dual authorization before audit information can be moved or deleted, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/audit/audit_failure_halt.yaml b/docs/rules/audit/audit_failure_halt.yaml index 3cc7908..04d6755 100644 --- a/docs/rules/audit/audit_failure_halt.yaml +++ b/docs/rules/audit/audit_failure_halt.yaml @@ -1,11 +1,11 @@ id: audit_failure_halt title: "Configure System to Shut Down Upon Audit Failure" discussion: | - The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. + The audit service _MUST_ be configured to shut down the computer if it is unable to audit system events. - Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + Once audit failure occurs, user and system activity are no longer recorded, and malicious activity could go undetected. Audit processing failures can occur due to software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. check: | - /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' + /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt' result: integer: 1 fix: | @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-90857-4 - cci: + cci: - CCI-000140 800-53r5: - AU-5 - 800-53r4: + 800-53r4: - AU-5 srg: - SRG-OS-000047-GPOS-00023 @@ -31,15 +31,15 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_files_group_configure.yaml b/docs/rules/audit/audit_files_group_configure.yaml index 13f89ca..78cbcb0 100644 --- a/docs/rules/audit/audit_files_group_configure.yaml +++ b/docs/rules/audit/audit_files_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Files Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_files_mode_configure.yaml b/docs/rules/audit/audit_files_mode_configure.yaml index d043286..e811acd 100644 --- a/docs/rules/audit/audit_files_mode_configure.yaml +++ b/docs/rules/audit/audit_files_mode_configure.yaml @@ -1,7 +1,7 @@ id: audit_files_mode_configure title: "Configure Audit Log Files to Mode 440 or Less Permissive" discussion: | - The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' result: @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-90859-0 - cci: + cci: - CCI-000162 800-53r5: - AU-9 - 800-53r4: + 800-53r4: - AU-9 srg: - SRG-OS-000057-GPOS-00027 @@ -34,13 +34,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/audit/audit_files_owner_configure.yaml b/docs/rules/audit/audit_files_owner_configure.yaml index 256baf0..5504f81 100644 --- a/docs/rules/audit/audit_files_owner_configure.yaml +++ b/docs/rules/audit/audit_files_owner_configure.yaml @@ -1,13 +1,13 @@ id: audit_files_owner_configure -title: "Configure Audit Log Files to be Owned by Root" +title: "Configure Audit Log Files to be Owned by Root" discussion: | Audit log files _MUST_ be owned by root. - + The audit service _MUST_ be configured to create log files with the correct ownership to prevent normal users from reading audit logs. - + Audit logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | - /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' + /bin/ls -n $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{s+=$3} END {print s}' result: integer: 0 fix: | @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_aa_configure.yaml b/docs/rules/audit/audit_flags_aa_configure.yaml index d3cda66..e47ef82 100644 --- a/docs/rules/audit/audit_flags_aa_configure.yaml +++ b/docs/rules/audit/audit_flags_aa_configure.yaml @@ -2,9 +2,9 @@ id: audit_flags_aa_configure title: "Configure System to Audit All Authorization and Authentication Events" discussion: | The auditing system _MUST_ be configured to flag authorization and authentication (aa) events. - - Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. - + + Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events. + Audit records can be generated from various components within the information system (e.g., via a module or policy filter). check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa' @@ -43,16 +43,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_ad_configure.yaml b/docs/rules/audit/audit_flags_ad_configure.yaml index a3c5046..5223d2d 100644 --- a/docs/rules/audit/audit_flags_ad_configure.yaml +++ b/docs/rules/audit/audit_flags_ad_configure.yaml @@ -3,13 +3,13 @@ title: "Configure System to Audit All Administrative Action Events" discussion: | The auditing system _MUST_ be configured to flag administrative action (ad) events. - Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. + Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. - Audit records can be generated from various components within the information system (e.g., via a module or policy filter). + Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. - NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. + NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' result: @@ -22,7 +22,7 @@ fix: | references: cce: - CCE-90862-4 - cci: + cci: - CCI-000018 - CCI-000172 - CCI-001403 @@ -37,7 +37,7 @@ references: - AC-2(4) - AU-2 - MA-4(1) - - CM-5(1) + - CM-5(1) 800-53r4: - AU-2 - AC-2(4) @@ -64,16 +64,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_configure.yaml b/docs/rules/audit/audit_flags_configure.yaml index c5e1a08..655c8e7 100644 --- a/docs/rules/audit/audit_flags_configure.yaml +++ b/docs/rules/audit/audit_flags_configure.yaml @@ -48,4 +48,4 @@ tags: - cisv8 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_ex_configure.yaml b/docs/rules/audit/audit_flags_ex_configure.yaml index 690e3e9..7bdf1e5 100644 --- a/docs/rules/audit/audit_flags_ex_configure.yaml +++ b/docs/rules/audit/audit_flags_ex_configure.yaml @@ -3,9 +3,9 @@ title: "Configure System to Audit All Failed Program Execution on the System" discussion: | The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). - - This configuration ensures that audit lists include events in which program execution has failed. + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). + + This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' @@ -20,7 +20,7 @@ references: cce: - CCE-90863-2 cci: - - N/A + - N/A 800-53r5: - AC-2(12) - AU-12 @@ -50,4 +50,4 @@ tags: - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_fd_configure.yaml b/docs/rules/audit/audit_flags_fd_configure.yaml index 63b7a0e..8fe66eb 100644 --- a/docs/rules/audit/audit_flags_fd_configure.yaml +++ b/docs/rules/audit/audit_flags_fd_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fd_configure title: "Configure System to Audit All Deletions of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd). + The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd). - ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. + ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -30,8 +30,8 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) @@ -54,11 +54,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r5_low - - 800-53r5_moderate + - 800-53r5_privacy + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_fm_configure.yaml b/docs/rules/audit/audit_flags_fm_configure.yaml index c1184b1..a1fc97d 100644 --- a/docs/rules/audit/audit_flags_fm_configure.yaml +++ b/docs/rules/audit/audit_flags_fm_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_configure title: "Configure System to Audit All Changes of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). + The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm). - Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. + Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -30,8 +30,8 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) @@ -57,4 +57,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_fm_failed_configure.yaml b/docs/rules/audit/audit_flags_fm_failed_configure.yaml index 6a42be7..8c43786 100644 --- a/docs/rules/audit/audit_flags_fm_failed_configure.yaml +++ b/docs/rules/audit/audit_flags_fm_failed_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fm_failed_configure title: "Configure System to Audit All Failed Change of Object Attributes" discussion: | - The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). + The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (-fm). - Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). - - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. + Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -29,13 +29,13 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) - MA-4(1) - srg: + srg: - N/A disa_stig: - N/A @@ -57,4 +57,4 @@ tags: - 800-53r4_high severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_fr_configure.yaml b/docs/rules/audit/audit_flags_fr_configure.yaml index 590cb5c..ea19ff6 100644 --- a/docs/rules/audit/audit_flags_fr_configure.yaml +++ b/docs/rules/audit/audit_flags_fr_configure.yaml @@ -1,11 +1,11 @@ id: audit_flags_fr_configure title: "Configure System to Audit All Failed Read Actions on the System" discussion: | - The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. + The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | @@ -30,8 +30,8 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) @@ -56,16 +56,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_fw_configure.yaml b/docs/rules/audit/audit_flags_fw_configure.yaml index 126ce52..468c7dd 100644 --- a/docs/rules/audit/audit_flags_fw_configure.yaml +++ b/docs/rules/audit/audit_flags_fw_configure.yaml @@ -2,11 +2,11 @@ id: audit_flags_fw_configure title: "Configure System to Audit All Failed Write Actions on the System" discussion: | The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts. - - Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). - This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. - + Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions). + + This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file. + Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. check: | /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw' @@ -29,8 +29,8 @@ references: - AU-9 - CM-5(1) - MA-4(1) - 800-53r4: - - AU-2 + 800-53r4: + - AU-2 - AU-12 - AU-9 - CM-5(1) @@ -55,16 +55,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_flags_lo_configure.yaml b/docs/rules/audit/audit_flags_lo_configure.yaml index 0100645..4b1fff9 100644 --- a/docs/rules/audit/audit_flags_lo_configure.yaml +++ b/docs/rules/audit/audit_flags_lo_configure.yaml @@ -1,7 +1,7 @@ id: audit_flags_lo_configure title: "Configure System to Audit All Log In and Log Out Events" discussion: | - The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo). + The audit system _MUST_ be configured to record all attempts to log in and out of the system (lo). Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing both successful and unsuccessful attempts to switch to another user account (by way of monitoring login and logout events) mitigates this risk. @@ -18,7 +18,7 @@ fix: | references: cce: - CCE-90868-1 - cci: + cci: - CCI-000067 - CCI-000172 800-53r5: @@ -28,7 +28,7 @@ references: - AU-2 - MA-4(1) 800-53r4: - - AU-2 + - AU-2 - AC-17(1) - AU-12 - MA-4(1) @@ -44,16 +44,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_folder_group_configure.yaml b/docs/rules/audit/audit_folder_group_configure.yaml index 1936ef2..30aab81 100644 --- a/docs/rules/audit/audit_folder_group_configure.yaml +++ b/docs/rules/audit/audit_folder_group_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Audit Log Folders Group to Wheel" discussion: | Audit log files _MUST_ have the group set to wheel. - The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. + The audit service _MUST_ be configured to create log files with the correct group ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and users. If log files are set to be readable and writable only by system administrators, the risk is mitigated. check: | @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_folder_owner_configure.yaml b/docs/rules/audit/audit_folder_owner_configure.yaml index 267f136..b02f82d 100644 --- a/docs/rules/audit/audit_folder_owner_configure.yaml +++ b/docs/rules/audit/audit_folder_owner_configure.yaml @@ -1,5 +1,5 @@ id: audit_folder_owner_configure -title: "Configure Audit Log Folders to be Owned by Root" +title: "Configure Audit Log Folders to be Owned by Root" discussion: | Audit log files _MUST_ be owned by root. @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_folders_mode_configure.yaml b/docs/rules/audit/audit_folders_mode_configure.yaml index 82da587..6f35d6c 100644 --- a/docs/rules/audit/audit_folders_mode_configure.yaml +++ b/docs/rules/audit/audit_folders_mode_configure.yaml @@ -1,9 +1,9 @@ id: audit_folders_mode_configure title: "Configure Audit Log Folders to Mode 700 or Less Permissive" discussion: | - The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. + The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders. - Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. + Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs. check: | /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') result: @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-90871-5 - cci: + cci: - CCI-000162 - CCI-000163 - CCI-000164 800-53r5: - AU-9 - 800-53r4: + 800-53r4: - AU-9 srg: - SRG-OS-000057-GPOS-00027 @@ -40,13 +40,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -54,4 +54,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_off_load_records.yaml b/docs/rules/audit/audit_off_load_records.yaml index 321f4f4..d372dc3 100644 --- a/docs/rules/audit/audit_off_load_records.yaml +++ b/docs/rules/audit/audit_off_load_records.yaml @@ -3,9 +3,9 @@ title: "Off-Load Audit Records" discussion: | Audit records should be off-loaded onto a different system or media from the system being audited. - Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. + Information stored in only one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. - To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To secure audit records by off-loading, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/audit/audit_record_reduction_report_generation.yaml b/docs/rules/audit/audit_record_reduction_report_generation.yaml index c0fbf25..5bf9e7e 100644 --- a/docs/rules/audit/audit_record_reduction_report_generation.yaml +++ b/docs/rules/audit/audit_record_reduction_report_generation.yaml @@ -1,8 +1,8 @@ id: audit_record_reduction_report_generation title: "Audit Record Reduction and Report Generation" discussion: | - The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. - + The system _IS_ configured with the ability provide and implement an audit record reduction and report generation capability. + Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient. Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP). @@ -13,11 +13,11 @@ fix: | references: cce: - CCE-90873-1 - cci: + cci: - N/A 800-53r5: - AU-7 - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -33,4 +33,4 @@ tags: - 800-53r5_moderate - inherent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_records_processing.yaml b/docs/rules/audit/audit_records_processing.yaml index 482165a..bd63cc4 100644 --- a/docs/rules/audit/audit_records_processing.yaml +++ b/docs/rules/audit/audit_records_processing.yaml @@ -2,7 +2,7 @@ id: audit_records_processing title: "Audit Record Reduction and Report Generation" discussion: | The macOS should be configured to provide and implement the capability to process, sort, and search audit records for events of interest based on organizationally defined fields. - + Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component. check: | The technology does not support this requirement. This is an applicable-does not meet finding. @@ -11,11 +11,11 @@ fix: | references: cce: - CCE-90874-9 - cci: + cci: - N/A 800-53r5: - AU-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -31,4 +31,4 @@ tags: - 800-53r5_moderate - permanent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_retention_configure.yaml b/docs/rules/audit/audit_retention_configure.yaml index c81212d..a5e48e2 100644 --- a/docs/rules/audit/audit_retention_configure.yaml +++ b/docs/rules/audit/audit_retention_configure.yaml @@ -1,8 +1,8 @@ id: audit_retention_configure title: "Configure Audit Retention to a Minimum of Seven Days" discussion: | - The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility. - + The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility. + When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old. check: | /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control @@ -37,16 +37,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_privacy - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_privacy + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - cisv8 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_retention_configure_sixty_days.yaml b/docs/rules/audit/audit_retention_configure_sixty_days.yaml index 6b61dd9..3a6af8e 100644 --- a/docs/rules/audit/audit_retention_configure_sixty_days.yaml +++ b/docs/rules/audit/audit_retention_configure_sixty_days.yaml @@ -1,8 +1,8 @@ id: audit_retention_configure_sixty_days title: "Configure Audit Retention to a Minimum of Sixty Days or One Gigabyte" discussion: | - The audit service _MUST_ be configured to require records be kept for sixty days or longer before deletion, unless the system uses a central audit record storage facility. - + The audit service _MUST_ be configured to require records be kept for sixty days or longer before deletion, unless the system uses a central audit record storage facility. + When "expire-after" is set to "60d", the audit service will not delete audit logs until the log data is at least sixty days old. check: | /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control @@ -42,4 +42,4 @@ tags: - cisv8 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/audit/audit_settings_failure_notify.yaml b/docs/rules/audit/audit_settings_failure_notify.yaml index bff4e51..8fbfb80 100644 --- a/docs/rules/audit/audit_settings_failure_notify.yaml +++ b/docs/rules/audit/audit_settings_failure_notify.yaml @@ -1,9 +1,9 @@ id: audit_settings_failure_notify title: "Configure Audit Failure Notification" discussion: | - The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. + The audit service _MUST_ be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. - It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. + It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. check: | /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn result: @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-90876-4 - cci: + cci: - CCI-001858 800-53r5: - AU-5(2) - AU-5 - 800-53r4: + 800-53r4: - AU-5 - AU-5(2) srg: @@ -33,12 +33,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r4_high - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r4_high + - 800-53r5_high - 800-171 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/auth/auth_pam_login_smartcard_enforce.yaml b/docs/rules/auth/auth_pam_login_smartcard_enforce.yaml index 8663cab..9fdfe92 100644 --- a/docs/rules/auth/auth_pam_login_smartcard_enforce.yaml +++ b/docs/rules/auth/auth_pam_login_smartcard_enforce.yaml @@ -2,7 +2,7 @@ id: auth_pam_login_smartcard_enforce title: "Enforce Multifactor Authentication for Login" discussion: | The system _MUST_ be configured to enforce multifactor authentication. - + All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. @@ -44,10 +44,10 @@ references: - IA-2(1) - IA-2(2) - IA-2(8) - 800-53r4: + 800-53r4: - IA-2(3) - IA-2(4) - - IA-5(11) + - IA-5(11) srg: - SRG-OS-000480-GPOS-00227 disa_stig: @@ -64,13 +64,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/auth/auth_pam_su_smartcard_enforce.yaml b/docs/rules/auth/auth_pam_su_smartcard_enforce.yaml index ac268f9..2e473df 100644 --- a/docs/rules/auth/auth_pam_su_smartcard_enforce.yaml +++ b/docs/rules/auth/auth_pam_su_smartcard_enforce.yaml @@ -2,7 +2,7 @@ id: auth_pam_su_smartcard_enforce title: "Enforce Multifactor Authentication for the su Command" discussion: | The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced. - + All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. @@ -39,10 +39,10 @@ references: - IA-2(1) - IA-2(2) - IA-2(8) - 800-53r4: + 800-53r4: - IA-2(3) - IA-2(4) - - IA-5(11) + - IA-5(11) srg: - SRG-OS-000480-GPOS-00227 disa_stig: @@ -59,13 +59,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/auth/auth_pam_sudo_smartcard_enforce.yaml b/docs/rules/auth/auth_pam_sudo_smartcard_enforce.yaml index 1a65105..9054e41 100644 --- a/docs/rules/auth/auth_pam_sudo_smartcard_enforce.yaml +++ b/docs/rules/auth/auth_pam_sudo_smartcard_enforce.yaml @@ -1,8 +1,8 @@ id: auth_pam_sudo_smartcard_enforce title: "Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command" discussion: | - The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. - + The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. + All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now require user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. @@ -38,7 +38,7 @@ references: - IA-2(1) - IA-2(2) - IA-2(8) - 800-53r4: + 800-53r4: - IA-2(3) - IA-2(4) - IA-5(11) @@ -58,13 +58,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/auth/auth_smartcard_allow.yaml b/docs/rules/auth/auth_smartcard_allow.yaml index 9e8f32c..554977c 100644 --- a/docs/rules/auth/auth_smartcard_allow.yaml +++ b/docs/rules/auth/auth_smartcard_allow.yaml @@ -1,10 +1,10 @@ id: auth_smartcard_allow title: "Allow Smartcard Authentication" discussion: | - Smartcard authentication _MUST_ be allowed. + Smartcard authentication _MUST_ be allowed. The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access. - + When enabled, the smartcard can be used for login, authorization, and screen saver unlocking. check: | /usr/bin/osascript -l JavaScript << EOS @@ -18,13 +18,13 @@ fix: | references: cce: - CCE-90880-6 - cci: + cci: - N/A 800-53r5: - IA-2(1) - IA-2(2) - IA-2(12) - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(11) srg: diff --git a/docs/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml b/docs/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml index b3142cc..febccc8 100644 --- a/docs/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml +++ b/docs/rules/auth/auth_smartcard_certificate_trust_enforce_high.yaml @@ -1,8 +1,8 @@ id: auth_smartcard_certificate_trust_enforce_high title: "Set Smartcard Certificate Trust to High" discussion: | - The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). - + The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). + To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. By setting the smartcard certificate trust level to high, the system will execute a hard revocation, i.e., a network connection is required. A verified positive response from the OSCP/CRL server is required for authentication to succeed. @@ -20,12 +20,12 @@ fix: | references: cce: - CCE-90881-4 - cci: + cci: - CCI-000186 800-53r5: - IA-5(2) - SC-17 - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(2) srg: diff --git a/docs/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml b/docs/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml index bb4c9b7..feb1ea4 100644 --- a/docs/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml +++ b/docs/rules/auth/auth_smartcard_certificate_trust_enforce_moderate.yaml @@ -1,7 +1,7 @@ id: auth_smartcard_certificate_trust_enforce_moderate title: "Set Smartcard Certificate Trust to Moderate" discussion: | - The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). + The macOS system _MUST_ be configured to block access to users who are no longer authorized (i.e., users with revoked certificates). To prevent the use of untrusted certificates, the certificates on a smartcard card _MUST_ meet the following criteria: its issuer has a system-trusted certificate, the certificate is not expired, its "valid-after" date is in the past, and it passes Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checking. @@ -20,7 +20,7 @@ fix: | references: cce: - CCE-90882-2 - cci: + cci: - CCI-000186 - CCI-001953 - CCI-001954 @@ -29,7 +29,7 @@ references: 800-53r5: - IA-5(2) - SC-17 - 800-53r4: + 800-53r4: - IA-2(12) - IA-5(2) srg: @@ -43,8 +43,8 @@ references: macOS: - "12.0" tags: - - 800-53r4_moderate - - 800-53r5_moderate + - 800-53r4_moderate + - 800-53r5_moderate - cnssi-1253 - stig severity: "medium" diff --git a/docs/rules/auth/auth_smartcard_enforce.yaml b/docs/rules/auth/auth_smartcard_enforce.yaml index 8181627..c3e081e 100644 --- a/docs/rules/auth/auth_smartcard_enforce.yaml +++ b/docs/rules/auth/auth_smartcard_enforce.yaml @@ -8,7 +8,7 @@ discussion: | When enforceSmartCard is set to "true", the smartcard must be used for login, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a user is exempt from smartcard enforcement. - + NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work. check: | /usr/bin/osascript -l JavaScript << EOS @@ -64,13 +64,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/auth/auth_ssh_password_authentication_disable.yaml b/docs/rules/auth/auth_ssh_password_authentication_disable.yaml index 943c180..61611f0 100644 --- a/docs/rules/auth/auth_ssh_password_authentication_disable.yaml +++ b/docs/rules/auth/auth_ssh_password_authentication_disable.yaml @@ -59,12 +59,12 @@ macOS: - "12.0" tags: - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 mobileconfig: false diff --git a/docs/rules/icloud/icloud_addressbook_disable.yaml b/docs/rules/icloud/icloud_addressbook_disable.yaml index b8ff14b..b4d35ab 100644 --- a/docs/rules/icloud/icloud_addressbook_disable.yaml +++ b/docs/rules/icloud/icloud_addressbook_disable.yaml @@ -1,7 +1,7 @@ id: icloud_addressbook_disable title: "Disable iCloud Address Book" discussion: | - The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Contacts.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data, and, therefore, automated contact synchronization _MUST_ be controlled by an organization approved service. check: | @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_appleid_prefpane_disable.yaml b/docs/rules/icloud/icloud_appleid_prefpane_disable.yaml index 3f206f7..1e4abf5 100644 --- a/docs/rules/icloud/icloud_appleid_prefpane_disable.yaml +++ b/docs/rules/icloud/icloud_appleid_prefpane_disable.yaml @@ -3,7 +3,7 @@ title: "Disable the System Preference Pane for Apple ID" discussion: | The system preference pane for Apple ID _MUST_ be disabled. - Disabling the system preference pane prevents login to Apple ID and iCloud. + Disabling the system preference pane prevents login to Apple ID and iCloud. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.AppleID' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -13,14 +13,14 @@ fix: | references: cce: - CCE-90886-3 - cci: + cci: - CCI-001774 800-53r5: - AC-20 - AC-20(1) - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -41,13 +41,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig @@ -55,5 +55,5 @@ severity: "high" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.AppleIDPrefPane diff --git a/docs/rules/icloud/icloud_bookmarks_disable.yaml b/docs/rules/icloud/icloud_bookmarks_disable.yaml index cbf21ff..d9f7751 100644 --- a/docs/rules/icloud/icloud_bookmarks_disable.yaml +++ b/docs/rules/icloud/icloud_bookmarks_disable.yaml @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_calendar_disable.yaml b/docs/rules/icloud/icloud_calendar_disable.yaml index e992d9a..8b0296d 100644 --- a/docs/rules/icloud/icloud_calendar_disable.yaml +++ b/docs/rules/icloud/icloud_calendar_disable.yaml @@ -1,8 +1,8 @@ id: icloud_calendar_disable title: "Disable the iCloud Calendar Services" discussion: | - The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. - + The macOS built-in Calendar.app connection to Apple's iCloud service _MUST_ be disabled. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated calendar synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-90888-9 - cci: + cci: - CCI-000381 - CCI-001774 800-53r5: @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_drive_disable.yaml b/docs/rules/icloud/icloud_drive_disable.yaml index 1119ce0..74f14ad 100644 --- a/docs/rules/icloud/icloud_drive_disable.yaml +++ b/docs/rules/icloud/icloud_drive_disable.yaml @@ -1,9 +1,9 @@ id: icloud_drive_disable title: "Disable iCloud Document Sync" discussion: | - The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. + The macOS built-in iCloud document synchronization service _MUST_ be disabled to prevent organizational data from being synchronized to personal or non-approved storage. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated document synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_keychain_disable.yaml b/docs/rules/icloud/icloud_keychain_disable.yaml index fb4ed6a..537db88 100644 --- a/docs/rules/icloud/icloud_keychain_disable.yaml +++ b/docs/rules/icloud/icloud_keychain_disable.yaml @@ -1,9 +1,9 @@ id: icloud_keychain_disable title: "Disable iCloud Keychain Sync" discussion: | - The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. - - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. + The macOS system's ability to automatically synchronize a user's passwords to their iCloud account _MUST_ be disabled. + + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, password management and synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -40,7 +40,7 @@ references: - 3.4.6 cis: benchmark: - - N/A + - N/A controls v8: - 4.1 - 4.8 @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_mail_disable.yaml b/docs/rules/icloud/icloud_mail_disable.yaml index 4ac9319..f3031d8 100644 --- a/docs/rules/icloud/icloud_mail_disable.yaml +++ b/docs/rules/icloud/icloud_mail_disable.yaml @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_notes_disable.yaml b/docs/rules/icloud/icloud_notes_disable.yaml index e6eadbd..6ac311c 100644 --- a/docs/rules/icloud/icloud_notes_disable.yaml +++ b/docs/rules/icloud/icloud_notes_disable.yaml @@ -1,7 +1,7 @@ id: icloud_notes_disable title: "Disable iCloud Notes" discussion: | - The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Notes.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated Notes synchronization _MUST_ be controlled by an organization approved service. check: | @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_photos_disable.yaml b/docs/rules/icloud/icloud_photos_disable.yaml index 076d59d..b642cbb 100644 --- a/docs/rules/icloud/icloud_photos_disable.yaml +++ b/docs/rules/icloud/icloud_photos_disable.yaml @@ -1,9 +1,9 @@ id: icloud_photos_disable title: "Disable iCloud Photo Library" discussion: | - The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Photos.app connection to Apple's iCloud service _MUST_ be disabled. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated photo synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_private_relay_disable.yaml b/docs/rules/icloud/icloud_private_relay_disable.yaml index bbbdecd..2de7011 100644 --- a/docs/rules/icloud/icloud_private_relay_disable.yaml +++ b/docs/rules/icloud/icloud_private_relay_disable.yaml @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -42,17 +42,17 @@ references: controls v8: - 4.1 - 4.8 - - 15.3 + - 15.3 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 severity: "medium" mobileconfig: true diff --git a/docs/rules/icloud/icloud_reminders_disable.yaml b/docs/rules/icloud/icloud_reminders_disable.yaml index 800f14f..6148553 100644 --- a/docs/rules/icloud/icloud_reminders_disable.yaml +++ b/docs/rules/icloud/icloud_reminders_disable.yaml @@ -1,7 +1,7 @@ id: icloud_reminders_disable title: "Disable iCloud Reminders" discussion: | - The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. + The macOS built-in Reminders.app connection to Apple's iCloud service _MUST_ be disabled. Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated reminders synchronization _MUST_ be controlled by an organization approved service. check: | @@ -24,7 +24,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/icloud/icloud_sync_disable.yaml b/docs/rules/icloud/icloud_sync_disable.yaml index 6cb4ce2..5acb226 100644 --- a/docs/rules/icloud/icloud_sync_disable.yaml +++ b/docs/rules/icloud/icloud_sync_disable.yaml @@ -3,7 +3,7 @@ title: "Disable iCloud Desktop and Document Folder Sync" discussion: | The macOS system's ability to automatically synchronize a user's desktop and documents folder to their iCloud Drive _MUST_ be disabled. - Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. + Apple's iCloud service does not provide an organization with enough control over the storage and access of data and, therefore, automated file synchronization _MUST_ be controlled by an organization approved service. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -23,7 +23,7 @@ references: - AC-20(1) - CM-7 - CM-7(1) - - SC-7(10) + - SC-7(10) 800-53r4: - CM-7 - CM-7(1) diff --git a/docs/rules/os/os_airdrop_disable.yaml b/docs/rules/os/os_airdrop_disable.yaml index d1539aa..450c965 100644 --- a/docs/rules/os/os_airdrop_disable.yaml +++ b/docs/rules/os/os_airdrop_disable.yaml @@ -1,9 +1,9 @@ id: os_airdrop_disable title: "Disable AirDrop" -discussion: +discussion: AirDrop _MUST_ be disabled to prevent file transfers to or from unauthorized devices. - - AirDrop allows users to share and receive files from other nearby Apple devices. + + AirDrop allows users to share and receive files from other nearby Apple devices. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-90898-8 - cci: + cci: - CCI-000381 800-53r5: - AC-3 @@ -48,13 +48,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/os/os_anti_virus_installed.yaml b/docs/rules/os/os_anti_virus_installed.yaml index 3c7d4aa..6f034a8 100644 --- a/docs/rules/os/os_anti_virus_installed.yaml +++ b/docs/rules/os/os_anti_virus_installed.yaml @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-90900-2 - cci: + cci: - CCI-000366 800-53r5: - N/A - 800-53r4: + 800-53r4: - SI-2 srg: - SRG-OS-000480-GPOS-00227 @@ -32,4 +32,4 @@ tags: - stig severity: "high" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_appleid_prompt_disable.yaml b/docs/rules/os/os_appleid_prompt_disable.yaml index db4a1e0..2c4d525 100644 --- a/docs/rules/os/os_appleid_prompt_disable.yaml +++ b/docs/rules/os/os_appleid_prompt_disable.yaml @@ -1,10 +1,10 @@ id: os_appleid_prompt_disable title: "Disable Apple ID Setup during Setup Assistant" discussion: | - The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. - + The prompt for Apple ID setup during Setup Assistant _MUST_ be disabled. + macOS will automatically prompt new users to set up an Apple ID while they are going through Setup Assistant if this is not disabled, misleading new users to think they need to create Apple ID accounts upon their first login. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipCloudSetup').js @@ -20,7 +20,7 @@ references: - CCI-000381 800-53r5: - AC-20 - 800-53r4: + 800-53r4: - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -37,13 +37,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/os/os_application_sandboxing.yaml b/docs/rules/os/os_application_sandboxing.yaml index 3bb6d42..e7dd4b7 100644 --- a/docs/rules/os/os_application_sandboxing.yaml +++ b/docs/rules/os/os_application_sandboxing.yaml @@ -1,8 +1,8 @@ id: os_application_sandboxing title: "Ensure Seperate Execution Domain for Processes" discussion: | - The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. - + The inherent configuration of the macOS _IS_ in compliance as Apple has implemented multiple features Mandatory access controls (MAC), System Integrity Protection (SIP), and application sandboxing. + link:https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web[] link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html[] diff --git a/docs/rules/os/os_asl_log_files_owner_group_configure.yaml b/docs/rules/os/os_asl_log_files_owner_group_configure.yaml index 7c054ed..2da0cb4 100644 --- a/docs/rules/os/os_asl_log_files_owner_group_configure.yaml +++ b/docs/rules/os/os_asl_log_files_owner_group_configure.yaml @@ -2,7 +2,7 @@ id: os_asl_log_files_owner_group_configure title: "Configure Apple System Log Files Owned by Root and Group to Wheel" discussion: | The Apple System Logs (ASL) _MUST_ be owned by root. - + ASL logs contain sensitive data about the system and users. If ASL log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | /usr/bin/awk '{ print $2 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' @@ -31,9 +31,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_asl_log_files_permissions_configure.yaml b/docs/rules/os/os_asl_log_files_permissions_configure.yaml index 55ec4bd..e74a2e1 100644 --- a/docs/rules/os/os_asl_log_files_permissions_configure.yaml +++ b/docs/rules/os/os_asl_log_files_permissions_configure.yaml @@ -29,9 +29,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_auth_peripherals.yaml b/docs/rules/os/os_auth_peripherals.yaml index 403dcb0..8500fc2 100644 --- a/docs/rules/os/os_auth_peripherals.yaml +++ b/docs/rules/os/os_auth_peripherals.yaml @@ -5,7 +5,7 @@ discussion: | check: | The technology does support this requirement, however, third party solutions are required to implement at an infrastructure level. fix: | - This requirement is a permanent finding and can be fixed by implementing a third party solution. + This requirement is a permanent finding and can be fixed by implementing a third party solution. references: cce: - CCE-90906-9 @@ -24,7 +24,7 @@ references: - 3.5.2 cis: benchmark: - - N/A + - N/A controls v8: - 13.9 macOS: diff --git a/docs/rules/os/os_authenticated_root_enable.yaml b/docs/rules/os/os_authenticated_root_enable.yaml index 83e277d..dde321f 100644 --- a/docs/rules/os/os_authenticated_root_enable.yaml +++ b/docs/rules/os/os_authenticated_root_enable.yaml @@ -1,8 +1,8 @@ id: os_authenticated_root_enable title: "Enable Authenticated Root" discussion: | - Authenticated Root _MUST_ be enabled. - + Authenticated Root _MUST_ be enabled. + When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. @@ -19,7 +19,7 @@ fix: | references: cce: - CCE-90907-7 - cci: + cci: - N/A 800-53r5: - AC-3 diff --git a/docs/rules/os/os_blank_bluray_disable.yaml b/docs/rules/os/os_blank_bluray_disable.yaml index ad2a56c..ca8b141 100644 --- a/docs/rules/os/os_blank_bluray_disable.yaml +++ b/docs/rules/os/os_blank_bluray_disable.yaml @@ -2,7 +2,7 @@ id: os_blank_bluray_disable title: "Disable Blank Blu Ray" discussion: | Blank Blu Ray media _MUST_ be disabled. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91094-3 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,7 +47,7 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - blankbd: + blankbd: - alert - eject - + diff --git a/docs/rules/os/os_blank_cd_disable.yaml b/docs/rules/os/os_blank_cd_disable.yaml index 0033dd5..677d242 100644 --- a/docs/rules/os/os_blank_cd_disable.yaml +++ b/docs/rules/os/os_blank_cd_disable.yaml @@ -2,7 +2,7 @@ id: os_blank_cd_disable title: "Disable Blank CD" discussion: | Blank CD media _MUST_ be disabled. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91095-0 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,6 +47,6 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - blankcd: + blankcd: - alert - - eject \ No newline at end of file + - eject diff --git a/docs/rules/os/os_blank_dvd_disable.yaml b/docs/rules/os/os_blank_dvd_disable.yaml index 0ab7272..581bbe5 100644 --- a/docs/rules/os/os_blank_dvd_disable.yaml +++ b/docs/rules/os/os_blank_dvd_disable.yaml @@ -2,7 +2,7 @@ id: os_blank_dvd_disable title: "Disable Blank DVD" discussion: | Blank DVD media _MUST_ be disabled. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91096-8 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,6 +47,6 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - blankdvd: + blankdvd: - alert - - eject \ No newline at end of file + - eject diff --git a/docs/rules/os/os_bluray_read_only_enforce.yaml b/docs/rules/os/os_bluray_read_only_enforce.yaml index 913e22b..d4ac275 100644 --- a/docs/rules/os/os_bluray_read_only_enforce.yaml +++ b/docs/rules/os/os_bluray_read_only_enforce.yaml @@ -2,7 +2,7 @@ id: os_bluray_read_only_enforce title: "Enforce Blu Ray Read Only" discussion: | Blu Ray media _MUST_ be set to read only. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91097-6 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,6 +47,6 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - bd: + bd: - read-only - + diff --git a/docs/rules/os/os_bonjour_disable.yaml b/docs/rules/os/os_bonjour_disable.yaml index 7ef39c6..ce3d372 100644 --- a/docs/rules/os/os_bonjour_disable.yaml +++ b/docs/rules/os/os_bonjour_disable.yaml @@ -14,12 +14,12 @@ fix: | references: cce: - CCE-90908-5 - cci: + cci: - CCI-000381 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: @@ -37,13 +37,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl2 - cisv8 diff --git a/docs/rules/os/os_burn_support_disable.yaml b/docs/rules/os/os_burn_support_disable.yaml index 529218e..4242460 100644 --- a/docs/rules/os/os_burn_support_disable.yaml +++ b/docs/rules/os/os_burn_support_disable.yaml @@ -1,6 +1,6 @@ id: os_burn_support_disable title: "Disable Burn Support" -discussion: +discussion: Burn support _MUST_ be disabled. [IMPORTANT] @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91098-4 - cci: + cci: - CCI-000366 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -36,4 +36,4 @@ mobileconfig_info: com.apple.finder: ProhibitBurn: true com.apple.DiscRecording: - BurnSupport: "off" \ No newline at end of file + BurnSupport: "off" diff --git a/docs/rules/os/os_calendar_app_disable.yaml b/docs/rules/os/os_calendar_app_disable.yaml index 3015309..f711d9d 100644 --- a/docs/rules/os/os_calendar_app_disable.yaml +++ b/docs/rules/os/os_calendar_app_disable.yaml @@ -29,7 +29,7 @@ fix: | references: cce: - CCE-90909-3 - cci: + cci: - CCI-000381 800-53r5: - AC-20 @@ -55,13 +55,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 severity: "medium" @@ -69,5 +69,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Calendar.app diff --git a/docs/rules/os/os_camera_disable.yaml b/docs/rules/os/os_camera_disable.yaml index b421c36..e00c7f6 100644 --- a/docs/rules/os/os_camera_disable.yaml +++ b/docs/rules/os/os_camera_disable.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-90910-1 - cci: + cci: - CCI-000381 - CCI-001150 - CCI-001153 diff --git a/docs/rules/os/os_cd_read_only_enforce.yaml b/docs/rules/os/os_cd_read_only_enforce.yaml index fd3cd51..0868e4a 100644 --- a/docs/rules/os/os_cd_read_only_enforce.yaml +++ b/docs/rules/os/os_cd_read_only_enforce.yaml @@ -2,7 +2,7 @@ id: os_cd_read_only_enforce title: "Enforce CD Read Only" discussion: | CD media _MUST_ be set to read only. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91099-2 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,5 +47,5 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - cd: - - read-only \ No newline at end of file + cd: + - read-only diff --git a/docs/rules/os/os_certificate_authority_trust.yaml b/docs/rules/os/os_certificate_authority_trust.yaml index ce58123..8f51b66 100644 --- a/docs/rules/os/os_certificate_authority_trust.yaml +++ b/docs/rules/os/os_certificate_authority_trust.yaml @@ -4,32 +4,32 @@ discussion: | The organization _MUST_ issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain. check: | /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' -result: +result: string: "a list containing approved root certificates" fix: | Obtain the approved certificates from the appropriate authority and install them to the System Keychain. references: cce: - CCE-90911-9 - cci: + cci: - CCI-000185 - CCI-002450 800-53r5: - SC-17 - 800-53r4: + 800-53r4: - SC-17 disa_stig: - APPL-12-003001 macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - cnssi-1253 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - cnssi-1253 - manual - stig severity: "high" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_change_security_attributes.yaml b/docs/rules/os/os_change_security_attributes.yaml index c40df78..a692a2e 100644 --- a/docs/rules/os/os_change_security_attributes.yaml +++ b/docs/rules/os/os_change_security_attributes.yaml @@ -1,9 +1,9 @@ id: os_change_security_attributes title: "Allow Administrators to Modify Security Settings and System Attributes" discussion: | - The information system _IS_ configured to allow administrators to modify security settings and system attributes. - - The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . + The information system _IS_ configured to allow administrators to modify security settings and system attributes. + + The macOS is a UNIX 03-compliant operating system, which allows administrators of the system to change security settings and system attributes, including those which are kept within preference panes that are locked for standard users. . link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/docs/rules/os/os_config_data_install_enforce.yaml b/docs/rules/os/os_config_data_install_enforce.yaml index 19e7a73..bc6e1e1 100644 --- a/docs/rules/os/os_config_data_install_enforce.yaml +++ b/docs/rules/os/os_config_data_install_enforce.yaml @@ -4,7 +4,7 @@ discussion: | Software Update _MUST_ be configured to update XProtect, MRT, and Gatekeepr automatically. This setting enforces definition updates for XProtect, MRT, and Gatekeeper; with this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require the computer to be restarted. - + link:https://support.apple.com/en-us/HT207005[] NOTE: Software update will automatically update XProtect, MRT, and Gatekeeper by default in the macOS. @@ -20,7 +20,7 @@ fix: | references: cce: - CCE-90913-5 - cci: + cci: - CCI-000366 800-53r5: - SI-3 diff --git a/docs/rules/os/os_continuous_monitoring.yaml b/docs/rules/os/os_continuous_monitoring.yaml index 9335f70..51bd120 100644 --- a/docs/rules/os/os_continuous_monitoring.yaml +++ b/docs/rules/os/os_continuous_monitoring.yaml @@ -27,6 +27,6 @@ tags: - 800-53r5_high - 800-53r4_moderate - 800-53r4_high - - permanent + - permanent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_crypto_audit.yaml b/docs/rules/os/os_crypto_audit.yaml index f4757db..85cdc46 100644 --- a/docs/rules/os/os_crypto_audit.yaml +++ b/docs/rules/os/os_crypto_audit.yaml @@ -1,13 +1,13 @@ id: os_crypto_audit title: "Protect Audit Integrity with Cryptographic Mechanisms" discussion: | - The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - - The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. - + The information system _IS_ configured to implement cryptographic mechanisms to protect the integrity of audit information and audit tools. + + The Apple T2 Security Chip includes a dedicated Advanced Encryption Standard (AES) crypto engine built into the direct memory access (DMA) path between the flash storage and main system memory, which powers line-speed encrypted storage with FileVault and makes internal volume highly efficient. + link:https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf[] - - NOTE: This will only apply to a Mac that includes a T2 security chip. + + NOTE: This will only apply to a Mac that includes a T2 security chip. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/docs/rules/os/os_directory_services_configured.yaml b/docs/rules/os/os_directory_services_configured.yaml index 2cb596b..2e269c2 100644 --- a/docs/rules/os/os_directory_services_configured.yaml +++ b/docs/rules/os/os_directory_services_configured.yaml @@ -1,13 +1,13 @@ id: os_directory_services_configured title: "Integrate System into a Directory Services Infrastructure" discussion: | - The macOS system _MUST_ be integrated into a directory services infrastructure. + The macOS system _MUST_ be integrated into a directory services infrastructure. A directory service infrastructure enables centralized user and rights management, as well as centralized control over computer and user configurations. Integrating the macOS systems used throughout an organization into a directory services infrastructure ensures more administrator oversight and security than allowing distinct user account databases to exist on each separate system. check: | /usr/bin/dscl localhost -list . | /usr/bin/grep -qvE '(Contact|Search|Local|^$)'; /bin/echo $? result: - integer: 0 + integer: 0 fix: | Integrate the system into an existing directory services infrastructure. references: @@ -35,4 +35,4 @@ tags: - stig severity: "high" mobileconfig: -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_disk_image_disable.yaml b/docs/rules/os/os_disk_image_disable.yaml index 16ee617..6989efe 100644 --- a/docs/rules/os/os_disk_image_disable.yaml +++ b/docs/rules/os/os_disk_image_disable.yaml @@ -2,7 +2,7 @@ id: os_disk_image_disable title: "Disable Disk Images" discussion: | Disk images _MUST_ be disabled. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91100-8 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,6 +47,6 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - disk-image: + disk-image: - alert - - eject \ No newline at end of file + - eject diff --git a/docs/rules/os/os_dvdram_disable.yaml b/docs/rules/os/os_dvdram_disable.yaml index c1eb08a..2fd2390 100644 --- a/docs/rules/os/os_dvdram_disable.yaml +++ b/docs/rules/os/os_dvdram_disable.yaml @@ -2,7 +2,7 @@ id: os_dvdram_disable title: "Disable Blank CD" discussion: | Blank CD media _MUST_ be disabled. - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -24,12 +24,12 @@ fix: | references: cce: - CCE-91101-6 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -47,7 +47,7 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - dvdram: + dvdram: - alert - eject - + diff --git a/docs/rules/os/os_efi_integrity_validated.yaml b/docs/rules/os/os_efi_integrity_validated.yaml index 2f4b80f..4a04296 100644 --- a/docs/rules/os/os_efi_integrity_validated.yaml +++ b/docs/rules/os/os_efi_integrity_validated.yaml @@ -12,7 +12,7 @@ references: cce: - CCE-91102-4 cci: - - N/A + - N/A 800-53r5: - N/A 800-53r4: @@ -32,4 +32,4 @@ tags: - cisv8 - i386 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_enforce_access_restrictions.yaml b/docs/rules/os/os_enforce_access_restrictions.yaml index 66ae9e9..1fb9fe6 100644 --- a/docs/rules/os/os_enforce_access_restrictions.yaml +++ b/docs/rules/os/os_enforce_access_restrictions.yaml @@ -2,8 +2,8 @@ id: os_enforce_access_restrictions title: "Enforce Access Restrictions" discussion: | The information system _IS_ configured to enforce access restrictions and support auditing of the enforcement actions. - - The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. + + The inherent configuration of a macOS provides users with the ability to set their own permission settings to control who can view and alter files on the computer. link:https://support.apple.com/guide/mac-help/change-permissions-for-files-folders-or-disks-mchlp1203/mac[] check: | diff --git a/docs/rules/os/os_erase_content_and_settings_disable.yaml b/docs/rules/os/os_erase_content_and_settings_disable.yaml index bfffabd..3e0ce55 100644 --- a/docs/rules/os/os_erase_content_and_settings_disable.yaml +++ b/docs/rules/os/os_erase_content_and_settings_disable.yaml @@ -1,6 +1,6 @@ id: os_erase_content_and_settings_disable title: "Disable Erase Content and Settings" -discussion: +discussion: Erase Content and Settings _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91103-2 - cci: + cci: - CCI-000381 800-53r5: - CM-7 diff --git a/docs/rules/os/os_ess_installed.yaml b/docs/rules/os/os_ess_installed.yaml index 5fe7045..304ed06 100644 --- a/docs/rules/os/os_ess_installed.yaml +++ b/docs/rules/os/os_ess_installed.yaml @@ -1,22 +1,22 @@ id: os_ess_installed title: "Must Use ESS" discussion: | - The approved ESS solution _MUST_ be installed and configured to run. + The approved ESS solution _MUST_ be installed and configured to run. The macOS system must employ automated mechanisms to determine the state of system components. The DoD requires the installation and use of an approved ESS solution to be implemented on the operating system. For additional information, reference all applicable ESS OPORDs and FRAGOs on SIPRNET. check: | - Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system. + Ask the System Administrator (SA) or Information System Security Officer (ISSO) if the approved ESS solution is loaded on the system. If the installed components of the ESS solution are not at the DoD approved minimal versions, this is a finding. fix: | Install the approved ESS solution onto the system. references: cce: - CCE-90930-9 - cci: + cci: - CCI-001233 - 800-53r5: + 800-53r5: - N/A - 800-53r4: + 800-53r4: - SI-2(2) srg: - SRG-OS-000191-GPOS-00080 @@ -30,4 +30,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_facetime_app_disable.yaml b/docs/rules/os/os_facetime_app_disable.yaml index ecb6433..dc9ca5d 100644 --- a/docs/rules/os/os_facetime_app_disable.yaml +++ b/docs/rules/os/os_facetime_app_disable.yaml @@ -1,10 +1,10 @@ id: os_facetime_app_disable title: "Disable FaceTime.app" discussion: | - The macOS built-in FaceTime.app _MUST_ be disabled. + The macOS built-in FaceTime.app _MUST_ be disabled. - The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. -check: | + The FaceTime.app establishes a connection to Apple's iCloud service, even when security controls have been put in place to disable iCloud access. +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -26,7 +26,7 @@ fix: | references: cce: - CCE-90919-2 - cci: + cci: - CCI-000381 - CCI-001774 800-53r5: @@ -53,13 +53,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 severity: "low" @@ -67,5 +67,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/FaceTime.app diff --git a/docs/rules/os/os_fail_secure_state.yaml b/docs/rules/os/os_fail_secure_state.yaml index 4342657..963ad84 100644 --- a/docs/rules/os/os_fail_secure_state.yaml +++ b/docs/rules/os/os_fail_secure_state.yaml @@ -1,11 +1,11 @@ id: os_fail_secure_state title: "Configure System to Fail to a Known Safe State if System Initialization, Shutdown, or Abort Fails" discussion: | - The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. + The information system _IS_ configured to fail to a known safe state in the event of a failed system initialization, shutdown, or abort. - Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. + Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. - Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. + Apple File System (APFS) is the default file system for Mac computers using macOS 10.13 and all later versions. APFS includes native encryption, safe document saves, stable snapshots, and crash protection; these features ensure that the macOS fails to safe state. link:https://developer.apple.com/videos/play/wwdc2017/715/[] check: | diff --git a/docs/rules/os/os_filevault_authorized_users.yaml b/docs/rules/os/os_filevault_authorized_users.yaml index c0ac40c..088291f 100644 --- a/docs/rules/os/os_filevault_authorized_users.yaml +++ b/docs/rules/os/os_filevault_authorized_users.yaml @@ -4,7 +4,7 @@ discussion: | macOS _MUST_ be configured to only allow authorized users to unlock FileVault upon startup. check: | /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}' -result: +result: string: "a list containing authorized users that can unlock FileVault" fix: | Remove the user that is not authorized to unlock FileVault using the fdesetup command. @@ -29,9 +29,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_high + - 800-53r5_high - manual - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_filevault_autologin_disable.yaml b/docs/rules/os/os_filevault_autologin_disable.yaml index f26f1cd..51d8430 100644 --- a/docs/rules/os/os_filevault_autologin_disable.yaml +++ b/docs/rules/os/os_filevault_autologin_disable.yaml @@ -2,11 +2,11 @@ id: os_filevault_autologin_disable title: "Disable FileVault Automatic Login" discussion: | If FileVault is enabled, automatic login _MUST_ be disabled, so that both FileVault and login window authentication are required. - - The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. + + The default behavior of macOS when FileVault is enabled is to automatically log in to the computer once successfully passing your FileVault credentials. NOTE: DisableFDEAutoLogin does not have to be set on Apple Silicon based macOS systems that are smartcard enforced as smartcards are available at pre-boot. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('DisableFDEAutoLogin').js @@ -42,13 +42,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/os/os_firewall_default_deny_require.yaml b/docs/rules/os/os_firewall_default_deny_require.yaml index 1aa88a8..0661f09 100644 --- a/docs/rules/os/os_firewall_default_deny_require.yaml +++ b/docs/rules/os/os_firewall_default_deny_require.yaml @@ -1,13 +1,13 @@ id: os_firewall_default_deny_require title: "Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy" discussion: | - A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. + A deny-all and allow-by-exception firewall policy _MUST_ be employed for managing connections to other systems. Organizations _MUST_ ensure the built-in packet filter firewall is configured correctly to employ the default deny rule. Failure to restrict network connectivity to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate the exfiltration of data. - If you are using a third-party firewall solution, this setting does not apply. + If you are using a third-party firewall solution, this setting does not apply. [IMPORTANT] ==== @@ -48,4 +48,4 @@ tags: - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_firewall_log_enable.yaml b/docs/rules/os/os_firewall_log_enable.yaml index 7357cfd..d262ff2 100644 --- a/docs/rules/os/os_firewall_log_enable.yaml +++ b/docs/rules/os/os_firewall_log_enable.yaml @@ -1,11 +1,11 @@ id: os_firewall_log_enable title: "Enable Firewall Logging" discussion: | - Firewall logging _MUST_ be enabled. + Firewall logging _MUST_ be enabled. - Firewall logging ensures that malicious network activity will be logged to the system. + Firewall logging ensures that malicious network activity will be logged to the system. - NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. + NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem `com.apple.alf` and the data is marked as private. In order to enable private data, review the `com.apple.alf.private_data.mobileconfig` file in the project's `includes` folder. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -27,12 +27,12 @@ fix: | references: cce: - CCE-90924-2 - cci: + cci: - N/A 800-53r5: - AU-12 - SC-7 - 800-53r4: + 800-53r4: - SC-7 - AU-12 srg: @@ -70,4 +70,4 @@ mobileconfig: true mobileconfig_info: com.apple.security.firewall: EnableLogging: true - LoggingOption: detail \ No newline at end of file + LoggingOption: detail diff --git a/docs/rules/os/os_firmware_password_require.yaml b/docs/rules/os/os_firmware_password_require.yaml index be1a79f..cccccc1 100644 --- a/docs/rules/os/os_firmware_password_require.yaml +++ b/docs/rules/os/os_firmware_password_require.yaml @@ -1,24 +1,24 @@ id: os_firmware_password_require title: "Enable Firmware Password" discussion: | - A firmware password _MUST_ be enabled and set. + A firmware password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode use the following command: - + [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- - + NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated. NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices. check: | /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" -result: +result: integer: 1 fix: | NOTE: See discussion on remediation and how to enable firmware password. @@ -40,14 +40,14 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - i386 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_gatekeeper_enable.yaml b/docs/rules/os/os_gatekeeper_enable.yaml index 2374fb1..cd6231c 100644 --- a/docs/rules/os/os_gatekeeper_enable.yaml +++ b/docs/rules/os/os_gatekeeper_enable.yaml @@ -1,12 +1,12 @@ id: os_gatekeeper_enable title: "Enable Gatekeeper" discussion: | - Gatekeeper _MUST_ be enabled. + Gatekeeper _MUST_ be enabled. Gatekeeper is a security feature that ensures that applications are digitally signed by an Apple-issued certificate before they are permitted to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party. Administrator users will still have the option to override these settings on a case-by-case basis. -check: | +check: | /usr/sbin/spctl --status | /usr/bin/grep -c "assessments enabled" result: integer: 1 @@ -18,7 +18,7 @@ fix: | references: cce: - CCE-90926-7 - cci: + cci: - CCI-001749 800-53r5: - CM-14 @@ -26,7 +26,7 @@ references: - SI-7(1) - SI-7(15) - SI-3 - 800-53r4: + 800-53r4: - CM-5(3) - CM-5 - SI-3 @@ -47,12 +47,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/os/os_gatekeeper_rearm.yaml b/docs/rules/os/os_gatekeeper_rearm.yaml index 089d546..8f7d1c7 100644 --- a/docs/rules/os/os_gatekeeper_rearm.yaml +++ b/docs/rules/os/os_gatekeeper_rearm.yaml @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-90927-5 - cci: + cci: - N/A 800-53r5: - CM-5 - 800-53r4: + 800-53r4: - CM-5 - SI-3 srg: @@ -47,4 +47,4 @@ mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: com.apple.security: - GKAutoRearm: true \ No newline at end of file + GKAutoRearm: true diff --git a/docs/rules/os/os_grant_privs.yaml b/docs/rules/os/os_grant_privs.yaml index 2bc5b28..d9c6934 100644 --- a/docs/rules/os/os_grant_privs.yaml +++ b/docs/rules/os/os_grant_privs.yaml @@ -1,8 +1,8 @@ id: os_grant_privs title: "Allow Administrators to Promote Other Users to Administrator Status" discussion: | - The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. - + The information system _IS_ configured to allow current administrators to promote standard users to administrator user status. + The macOS is a UNIX 03-compliant operating system which allows administrators of the system to grant privileges to other users. link:https://support.apple.com/guide/mac-help/set-up-other-users-on-your-mac-mtusr001/mac[] diff --git a/docs/rules/os/os_guest_folder_removed.yaml b/docs/rules/os/os_guest_folder_removed.yaml index 4084a90..aefa65a 100644 --- a/docs/rules/os/os_guest_folder_removed.yaml +++ b/docs/rules/os/os_guest_folder_removed.yaml @@ -1,6 +1,6 @@ id: os_guest_folder_removed title: "Remove Guest Folder if Present" -discussion: | +discussion: | The guest folder _MUST_ be deleted if present. check: | /bin/ls /Users/ | /usr/bin/grep -c "Guest" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91104-0 - cci: + cci: - N/A 800-53r5: - N/A @@ -29,7 +29,7 @@ references: cis: benchmark: - 6.1.5 (level 1) - controls v8: + controls v8: - N/A macOS: - "12.0" @@ -37,4 +37,4 @@ tags: - cis_lvl1 - cis_lvl2 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_handoff_disable.yaml b/docs/rules/os/os_handoff_disable.yaml index f17cd57..ff54bcd 100644 --- a/docs/rules/os/os_handoff_disable.yaml +++ b/docs/rules/os/os_handoff_disable.yaml @@ -1,7 +1,7 @@ id: os_handoff_disable title: "Disable Handoff" discussion: | - Handoff _MUST_ be disabled. + Handoff _MUST_ be disabled. Handoff allows you to continue working on a document or project when the user switches from one Apple device to another. Disabling Handoff prevents data transfers to unauthorized devices. check: | @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-90929-1 - cci: + cci: - CCI-000381 800-53r5: - AC-3 @@ -31,7 +31,7 @@ references: disa_stig: - APPL-12-005058 srg: - - SRG-OS-000095-GPOS-00049 + - SRG-OS-000095-GPOS-00049 800-171r2: - 3.1.1 - 3.1.2 diff --git a/docs/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml b/docs/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml index c942a9c..7d9f920 100644 --- a/docs/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml +++ b/docs/rules/os/os_hibernate_mode_destroyfvkeyonstandby_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_destroyfvkeyonstandby_enable title: "Enable DestroyFVKeyOnStandby on Hibernate" discussion: | - DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. + DestroyFVKeyOnStandby on hibernate _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ @@ -29,7 +29,7 @@ references: cis: benchmark: - 5.9 (level 2) - controls v8: + controls v8: - N/A macOS: - "12.0" diff --git a/docs/rules/os/os_hibernate_mode_enable.yaml b/docs/rules/os/os_hibernate_mode_enable.yaml index 271976f..3aa59d9 100644 --- a/docs/rules/os/os_hibernate_mode_enable.yaml +++ b/docs/rules/os/os_hibernate_mode_enable.yaml @@ -1,7 +1,7 @@ id: os_hibernate_mode_enable title: "Enable Hibernate Mode" discussion: | - Hibernate mode _MUST_ be enabled. + Hibernate mode _MUST_ be enabled. NOTE: Hibernate mode is not fully supported on Apple Silicon devices. This rule is only applicable to Intel devices. check: | diff --git a/docs/rules/os/os_home_folders_secure.yaml b/docs/rules/os/os_home_folders_secure.yaml index 0ecbf8d..f939c7d 100644 --- a/docs/rules/os/os_home_folders_secure.yaml +++ b/docs/rules/os/os_home_folders_secure.yaml @@ -2,8 +2,8 @@ id: os_home_folders_secure title: "Secure User's Home Folders" discussion: | The system _MUST_ be configured to prevent access to other user's home folders. - - The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. + + The default behavior of macOS is to allow all valid users access to the the top level of every other user's home folder while restricting access only to the Apple default folders within. check: | /usr/bin/find /System/Volumes/Data/Users -mindepth 1 -maxdepth 1 -type d -perm -1 | /usr/bin/grep -v "Shared" | /usr/bin/grep -v "Guest" | /usr/bin/wc -l | /usr/bin/xargs result: @@ -41,15 +41,15 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_httpd_disable.yaml b/docs/rules/os/os_httpd_disable.yaml index ebbf380..913d25f 100644 --- a/docs/rules/os/os_httpd_disable.yaml +++ b/docs/rules/os/os_httpd_disable.yaml @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-90932-5 - cci: + cci: - CCI-000381 800-53r5: - AC-3 - - AC-17 - 800-53r4: + - AC-17 + 800-53r4: - AC-3 srg: - SRG-OS-000095-GPOS-00049 @@ -39,13 +39,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -53,4 +53,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_icloud_storage_prompt_disable.yaml b/docs/rules/os/os_icloud_storage_prompt_disable.yaml index 449673f..20d8e11 100644 --- a/docs/rules/os/os_icloud_storage_prompt_disable.yaml +++ b/docs/rules/os/os_icloud_storage_prompt_disable.yaml @@ -1,9 +1,9 @@ id: os_icloud_storage_prompt_disable -title: "Disable iCloud Storage Setup during Setup Assistant" +title: "Disable iCloud Storage Setup during Setup Assistant" discussion: | The prompt to set up iCloud storage services during Setup Assistant _MUST_ be disabled. - - The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. + + The default behavior of macOS is to prompt new users to set up storage in iCloud. Disabling the iCloud storage setup prompt provides organizations more control over the storage of their data. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ @@ -20,7 +20,7 @@ references: - CCI-000381 800-53r5: - AC-20 - 800-53r4: + 800-53r4: - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -37,13 +37,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/os/os_implement_cryptography.yaml b/docs/rules/os/os_implement_cryptography.yaml index 20045e2..90ea8e9 100644 --- a/docs/rules/os/os_implement_cryptography.yaml +++ b/docs/rules/os/os_implement_cryptography.yaml @@ -1,14 +1,14 @@ id: os_implement_cryptography title: "Configure the System to Implement Approved Cryptography to Protect Information" discussion: | - The information system _IS_ configured to implement approved cryptography to protect information. + The information system _IS_ configured to implement approved cryptography to protect information. - Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules that adhere to the higher standards that have been tested, validated, and approved by the federal government. macOS Big Sur has been submitted to the National Institute of Standards and Technology (NIST) and is in review for the cryptographic module for FIPS 140-3 validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement using FIPS Validated Cryptographic Modules. diff --git a/docs/rules/os/os_implement_memory_protection.yaml b/docs/rules/os/os_implement_memory_protection.yaml index d36fbb1..254fed4 100644 --- a/docs/rules/os/os_implement_memory_protection.yaml +++ b/docs/rules/os/os_implement_memory_protection.yaml @@ -3,16 +3,16 @@ title: "Configure the System to Protect Memory from Unauthorized Code Execution" discussion: | The information system _IS_ configured to implement non-executable data to protect memory from code execution. - Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. + Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited (e.g., buffer overflow attacks). Security safeguards (e.g., data execution prevention and address space layout randomization) can be employed to protect non-executable regions of memory. Data execution prevention safeguards can either be hardware-enforced or software-enforced; hardware-enforced methods provide the greater strength of mechanism. macOS supports address space layout randomization (ASLR), position-independent executable (PIE), Stack Canaries, and NX stack and heap protection. link:https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/64bitPorting/transition/transition.html[] - + link:https://developer.apple.com/library/archive/qa/qa1788/_index.html[] link:https://www.apple.com/macos/security/[] - + check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. fix: | diff --git a/docs/rules/os/os_information_validation.yaml b/docs/rules/os/os_information_validation.yaml index 7aa5699..c2b8e81 100644 --- a/docs/rules/os/os_information_validation.yaml +++ b/docs/rules/os/os_information_validation.yaml @@ -2,7 +2,7 @@ id: os_information_validation title: "Information Input Validation" discussion: | Check the validity of the following information inputs: organization-defined information inputs to the systems. - + Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of "387," "abc," or "%K%" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks. check: | This requirement is NA for this technology. diff --git a/docs/rules/os/os_install_log_retention_configure.yaml b/docs/rules/os/os_install_log_retention_configure.yaml index e2be53a..d159543 100644 --- a/docs/rules/os/os_install_log_retention_configure.yaml +++ b/docs/rules/os/os_install_log_retention_configure.yaml @@ -1,7 +1,7 @@ id: os_install_log_retention_configure title: "Configure Install.log Retention to 365 Days or More" discussion: | - The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. + The install.log _MUST_ be configured to require records be kept for 365 days or longer before deletion, unless the system uses a central audit record storage facility. check: | /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' result: @@ -10,7 +10,7 @@ fix: | [source,bash] ---- /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install - ---- + ---- NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed. references: @@ -43,4 +43,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_ir_support_disable.yaml b/docs/rules/os/os_ir_support_disable.yaml index 7a8f05f..36eb934 100644 --- a/docs/rules/os/os_ir_support_disable.yaml +++ b/docs/rules/os/os_ir_support_disable.yaml @@ -1,10 +1,10 @@ id: os_ir_support_disable title: "Disable Infrared (IR) support" discussion: | - Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. - - By default, if IR is enabled, the system will accept IR control from any remote device. - + Infrared (IR) support _MUST_ be disabled to prevent users from controlling the system with IR devices. + + By default, if IR is enabled, the system will accept IR control from any remote device. + NOTE: This is applicable only to models of Mac Mini systems earlier than Mac Mini8,1. check: | /usr/bin/osascript -l JavaScript << EOS @@ -18,13 +18,13 @@ fix: | references: cce: - CCE-90939-0 - cci: + cci: - CCI-000366 800-53r5: - AC-18 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-18 @@ -58,4 +58,4 @@ mobileconfig: true mobileconfig_info: com.apple.ManagedClient.preferences: com.apple.driver.AppleIRController: - DeviceEnabled: false \ No newline at end of file + DeviceEnabled: false diff --git a/docs/rules/os/os_isolate_security_functions.yaml b/docs/rules/os/os_isolate_security_functions.yaml index 169560c..1a24ddf 100644 --- a/docs/rules/os/os_isolate_security_functions.yaml +++ b/docs/rules/os/os_isolate_security_functions.yaml @@ -1,8 +1,8 @@ id: os_isolate_security_functions title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to isolate security functions from non-security functions. - + The information system _IS_ configured to isolate security functions from non-security functions. + link:https://support.apple.com/guide/security/welcome/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/docs/rules/os/os_library_validation_enabled.yaml b/docs/rules/os/os_library_validation_enabled.yaml index a1802e0..e663d71 100644 --- a/docs/rules/os/os_library_validation_enabled.yaml +++ b/docs/rules/os/os_library_validation_enabled.yaml @@ -1,6 +1,6 @@ id: os_library_validation_enabled title: "Enable Library Validation" -discussion: +discussion: Library validation _MUST_ be enabled. check: | /usr/bin/osascript -l JavaScript << EOS @@ -17,7 +17,7 @@ fix: | references: cce: - CCE-91108-1 - cci: + cci: - N/A 800-53r5: - N/A @@ -44,4 +44,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.security.libraryvalidation: - DisableLibraryValidation: false \ No newline at end of file + DisableLibraryValidation: false diff --git a/docs/rules/os/os_limit_dos_attacks.yaml b/docs/rules/os/os_limit_dos_attacks.yaml index 0b6244e..f8cd4fa 100644 --- a/docs/rules/os/os_limit_dos_attacks.yaml +++ b/docs/rules/os/os_limit_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_limit_dos_attacks title: "Limit Impact of Denial of Service Attacks" discussion: | - The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. + The macOS should be configured to limit the impact of Denial of Service (DoS) attacks. - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To limit the impact of DoS attacks, organizations may choose to employ increased capacity and service redundancy, which has the potential to reduce systems' susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/docs/rules/os/os_limit_gui_sessions.yaml b/docs/rules/os/os_limit_gui_sessions.yaml index 85c9887..8f7939a 100644 --- a/docs/rules/os/os_limit_gui_sessions.yaml +++ b/docs/rules/os/os_limit_gui_sessions.yaml @@ -1,7 +1,7 @@ id: os_limit_gui_sessions title: "Limit Concurrent GUI Sessions to 10 for all Accounts" discussion: | - The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. + The information system _IS_ configured to limit the number of concurrent graphical user interface (GUI) sessions to a maximum of ten for all users. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user helps reduce the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. check: | diff --git a/docs/rules/os/os_logical_access.yaml b/docs/rules/os/os_logical_access.yaml index 132edb3..843d115 100644 --- a/docs/rules/os/os_logical_access.yaml +++ b/docs/rules/os/os_logical_access.yaml @@ -1,9 +1,9 @@ id: os_logical_access title: "Enforce Approved Authorization for Logical Access" discussion: | - The information system _IS_ configured to enforce an approved authorization process before granting users logical access. + The information system _IS_ configured to enforce an approved authorization process before granting users logical access. - The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. + The inherent configuration of the macOS does not grant users logical access without authorization. Authorization is achieved on the macOS through permissions, which are controlled at many levels, from the Mach and BSD components of the kernel, through higher levels of the operating system and, for networked applications, through the networking protocols. Permissions can be granted at the level of directories, subdirectories, files or applications, or specific data within files or functions within applications. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/docs/rules/os/os_mail_app_disable.yaml b/docs/rules/os/os_mail_app_disable.yaml index 120022d..5ae3380 100644 --- a/docs/rules/os/os_mail_app_disable.yaml +++ b/docs/rules/os/os_mail_app_disable.yaml @@ -1,15 +1,15 @@ id: os_mail_app_disable title: "Disable Mail App" discussion: | - The macOS built-in Mail.app _MUST_ be disabled. + The macOS built-in Mail.app _MUST_ be disabled. The Mail.app contains functionality that can establish connections to Apple's iCloud, even when security controls to disable iCloud access have been put in place. - + [IMPORTANT] ==== Some organizations allow the use of the built-in Mail.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the macOS built-in Mail.app to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== -check: | +check: | /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ @@ -31,7 +31,7 @@ fix: | references: cce: - CCE-90946-5 - cci: + cci: - CCI-000381 800-53r5: - AC-20 @@ -57,13 +57,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 severity: "medium" @@ -71,5 +71,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Mail.app diff --git a/docs/rules/os/os_malicious_code_prevention.yaml b/docs/rules/os/os_malicious_code_prevention.yaml index b573087..991d23f 100644 --- a/docs/rules/os/os_malicious_code_prevention.yaml +++ b/docs/rules/os/os_malicious_code_prevention.yaml @@ -2,31 +2,31 @@ id: os_malicious_code_prevention title: "Ensure the System Implements Malicious Code Protection Mechanisms" discussion: | The inherent configuration of the macOS _IS_ in compliance as Apple has designed the system with three layers of protection against malware. Each layer of protection is comprised of one or more malicious code protection mechanisms, which are automatically implemented and which, collectively, meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for malicious code prevention. - - 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. - The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: - * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. - * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. + + 1. This first layer of defense targets the distribution of malware; the aim is to prevent malware from ever launching. + The following mechanisms are inherent to the macOS design and constitute the first layer of protection against malicious code: + * The Apple App Store: the safest way to add new applications to a Mac is by downloading them from the App Store; all apps available for download from the App Store have been reviewed for signs of tampering and signed by Apple to indicate that the app meets security requirements and does not contain malware. + * XProtect: a built-in, signature-based, anti-virus, anti-malware technology inherent to all Macs. XProtect automatically detects and blocks the execution of known malware. * In macOS 10.15 and all subsequent releases, XProtect checks for known malicious content when: * an app is first launched, * an app has been changed (in the file system), and * XProtect signatures are updated. * YARA: another built-in tool (inherent to all Macs), which conducts signature-based detection of malware. Apple updates YARA rules regularly. * Gatekeeper: a security feature inherent to all Macs; Gatekeeper scans apps to detect malware and/or revocations of a developer's signing certificate and prevents unsafe apps from running. - * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. + * Notarization: Apple performs regular, automated scans to detect signs of malicious content and to verify developer ID-signed software; when no issues are found, Apple notarizes the software and delivers the results of scans to the system owner. - 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. - The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: + 2. The second layer of defense targets malware that manages to appear on a Mac before it runs; the aim is to quickly identify and block any malware present on a Mac in order to prevent the malware from running and further spreading. + The following mechanisms are inherent to the macOS design and constitute the second layer of protection against malicious code: * XProtect (defined above). * Gatekeeper (defined above). * Notarization (defined above). - 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. - The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: + 3. The third layer of defense targets infected Mac system(s); the aim is to remediate Macs on which malware has managed to successfully execute. + The following mechanism is inherent to the macOS design and constitutes the third layer of protection against malicious code: * Apple's Malware Removal Tool (MRT): a technology included on all macOS systems. MRT is an agent that remediates based on automatic updates delivered from Apple. MRT will remove the malware upon receiving updated information and check for malware on restart and login. link:https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1[] - + link:https://support.apple.com/guide/security/app-security-overview-sec35dd877d0/web[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/docs/rules/os/os_mdm_require.yaml b/docs/rules/os/os_mdm_require.yaml index aea55bb..f2f568c 100644 --- a/docs/rules/os/os_mdm_require.yaml +++ b/docs/rules/os/os_mdm_require.yaml @@ -2,9 +2,9 @@ id: os_mdm_require title: "Enforce Enrollment in Mobile Device Management" discussion: | You _MUST_ enroll your Mac in a Mobile Device Management (MDM) software. - + User Approved MDM (UAMDM) enrollment or enrollment via Apple Business Manager (ABM)/Apple School Manager (ASM) is required to manage certain security settings. Currently these include: - + * Allowed Kernel Extensions * Allowed Approved System Extensions * Privacy Preferences Policy Control Payload @@ -12,7 +12,7 @@ discussion: | * FDEFileVault In macOS 11, UAMDM grants Supervised status on a Mac, unlocking the following MDM features, which were previously locked behind ABM: - + * Activation Lock Bypass * Access to Bootstrap Tokens * Scheduling Software Updates @@ -38,7 +38,7 @@ references: srg: - N/A cci: - - N/A + - N/A 800-171r2: - 3.4.1 - 3.4.2 @@ -61,4 +61,4 @@ tags: - cnssi-1253 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_messages_app_disable.yaml b/docs/rules/os/os_messages_app_disable.yaml index 53d4476..45d8f75 100644 --- a/docs/rules/os/os_messages_app_disable.yaml +++ b/docs/rules/os/os_messages_app_disable.yaml @@ -1,9 +1,9 @@ id: os_messages_app_disable title: "Disable Messages App" discussion: | - The macOS built-in Messages.app _MUST_ be disabled. + The macOS built-in Messages.app _MUST_ be disabled. - The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. + The Messages.app establishes a connection to Apple's iCloud service, even when security controls to disable iCloud access have been put in place. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -26,7 +26,7 @@ fix: | references: cce: - CCE-90951-5 - cci: + cci: - CCI-000381 - CCI-001774 800-53r5: @@ -53,13 +53,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 severity: "low" @@ -67,5 +67,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - /Applications/Messages.app diff --git a/docs/rules/os/os_mobile_file_integrity_enable.yaml b/docs/rules/os/os_mobile_file_integrity_enable.yaml index cbb8ab7..4548ce4 100644 --- a/docs/rules/os/os_mobile_file_integrity_enable.yaml +++ b/docs/rules/os/os_mobile_file_integrity_enable.yaml @@ -1,6 +1,6 @@ id: os_mobile_file_integrity_enable title: "Enable Apple Mobile File Integrity" -discussion: +discussion: Mobile file integrity _MUST_ be ebabled. check: | /usr/sbin/nvram -p | /usr/bin/grep -c "amfi_get_out_of_my_way=1" @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91109-9 - cci: + cci: - N/A 800-53r5: - N/A @@ -39,4 +39,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_newsyslog_files_owner_group_configure.yaml b/docs/rules/os/os_newsyslog_files_owner_group_configure.yaml index f878723..3dd268f 100644 --- a/docs/rules/os/os_newsyslog_files_owner_group_configure.yaml +++ b/docs/rules/os/os_newsyslog_files_owner_group_configure.yaml @@ -2,7 +2,7 @@ id: os_newsyslog_files_owner_group_configure title: "Configure System Log Files Owned by Root and Group to Wheel" discussion: | The system log files _MUST_ be owned by root. - + System logs contain sensitive data about the system and users. If log files are set to only be readable and writable by system administrators, the risk is mitigated. check: | /usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk '!/^root:wheel:/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' ' @@ -12,7 +12,7 @@ fix: | [source,bash] ---- /usr/sbin/chown root:wheel $(/usr/bin/stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }') 2> /dev/null | /usr/bin/awk -F":" '!/^root:wheel:/{print $3}') - ---- + ---- references: cce: - CCE-90954-9 @@ -31,9 +31,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_newsyslog_files_permissions_configure.yaml b/docs/rules/os/os_newsyslog_files_permissions_configure.yaml index 9993eb9..8647a22 100644 --- a/docs/rules/os/os_newsyslog_files_permissions_configure.yaml +++ b/docs/rules/os/os_newsyslog_files_permissions_configure.yaml @@ -30,9 +30,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_nfsd_disable.yaml b/docs/rules/os/os_nfsd_disable.yaml index 79c84ff..bcffbc8 100644 --- a/docs/rules/os/os_nfsd_disable.yaml +++ b/docs/rules/os/os_nfsd_disable.yaml @@ -15,7 +15,7 @@ fix: | references: cce: - CCE-90956-4 - cci: + cci: - CCI-000381 800-53r5: - AC-3 @@ -38,13 +38,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_nonlocal_maintenance.yaml b/docs/rules/os/os_nonlocal_maintenance.yaml index 54231a6..c78f7cb 100644 --- a/docs/rules/os/os_nonlocal_maintenance.yaml +++ b/docs/rules/os/os_nonlocal_maintenance.yaml @@ -1,7 +1,7 @@ id: os_nonlocal_maintenance title: "Configure the System for Nonlocal Maintenance" discussion: | - Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. + Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network or an internal network. check: | This requirement is NA for this technology. fix: | diff --git a/docs/rules/os/os_notify_account_created.yaml b/docs/rules/os/os_notify_account_created.yaml index 7d62f3b..5161304 100644 --- a/docs/rules/os/os_notify_account_created.yaml +++ b/docs/rules/os/os_notify_account_created.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Created Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when new accounts are created. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by creating a new account. Configuring the information system to send a notification when new accounts are created is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are created, but also maintain an audit record of accounts made. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of accounts created, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_notify_account_disabled.yaml b/docs/rules/os/os_notify_account_disabled.yaml index 3b21d87..cee0280 100644 --- a/docs/rules/os/os_notify_account_disabled.yaml +++ b/docs/rules/os/os_notify_account_disabled.yaml @@ -5,7 +5,7 @@ discussion: | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account disabling actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of disabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_notify_account_enable.yaml b/docs/rules/os/os_notify_account_enable.yaml index 9724512..c4c706b 100644 --- a/docs/rules/os/os_notify_account_enable.yaml +++ b/docs/rules/os/os_notify_account_enable.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Enabled Actions " discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_notify_account_modified.yaml b/docs/rules/os/os_notify_account_modified.yaml index a5f8e9c..c2a630b 100644 --- a/docs/rules/os/os_notify_account_modified.yaml +++ b/docs/rules/os/os_notify_account_modified.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Account Modified Actions" discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified. - Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. + Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. - To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_notify_account_removal.yaml b/docs/rules/os/os_notify_account_removal.yaml index 41a14a4..219eae4 100644 --- a/docs/rules/os/os_notify_account_removal.yaml +++ b/docs/rules/os/os_notify_account_removal.yaml @@ -4,8 +4,8 @@ discussion: | The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. To detect and respond to events that affect user accessibility and system processing, operating systems should audit account removal actions and, as required, notify system administrators and ISSOs so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. - - To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + + To enable notifications and audit logging of removed accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_notify_unauthorized_baseline_change.yaml b/docs/rules/os/os_notify_unauthorized_baseline_change.yaml index 71fb3cb..6ffb955 100644 --- a/docs/rules/os/os_notify_unauthorized_baseline_change.yaml +++ b/docs/rules/os/os_notify_unauthorized_baseline_change.yaml @@ -3,9 +3,9 @@ title: "Configure the System to Notify upon Baseline Configuration Changes" discussion: | The macOS should be configured to automatically notify system administrators, Information System Security Officers (ISSOs), and (IMOs) when baseline configurations are modified. - Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may present security threats. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the state of the operating system. - To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. + To enable notifications and audit logging of changes made to baseline configurations, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | diff --git a/docs/rules/os/os_parental_controls_enable.yaml b/docs/rules/os/os_parental_controls_enable.yaml index 889993c..2af543d 100644 --- a/docs/rules/os/os_parental_controls_enable.yaml +++ b/docs/rules/os/os_parental_controls_enable.yaml @@ -1,8 +1,8 @@ id: os_parental_controls_enable title: "Enable Parental Controls" discussion: | - Parental Controls _MUST_ be enabled. - + Parental Controls _MUST_ be enabled. + Control of program execution is a mechanism used to prevent program execution of unauthorized programs, which is critical to maintaining a secure system baseline. Parental Controls on the macOS consist of many different payloads, which are set individually depending on the type of control required. Enabling parental controls allows for further configuration of these restrictions. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-90966-3 - cci: + cci: - CCI-001812 - CCI-001764 800-53r5: - CM-7(2) - 800-53r4: + 800-53r4: - CM-7(2) srg: - N/A diff --git a/docs/rules/os/os_password_autofill_disable.yaml b/docs/rules/os/os_password_autofill_disable.yaml index 919ca9b..2ff06c2 100644 --- a/docs/rules/os/os_password_autofill_disable.yaml +++ b/docs/rules/os/os_password_autofill_disable.yaml @@ -1,7 +1,7 @@ id: os_password_autofill_disable title: "Disable Password Autofill" discussion: | - Password Autofill _MUST_ be disabled. + Password Autofill _MUST_ be disabled. macOS allows users to save passwords and use the Password Autofill feature in Safari and compatible apps. To protect against malicious users gaining access to the system, this feature _MUST_ be disabled to prevent users from being prompted to save passwords in applications. check: | diff --git a/docs/rules/os/os_password_hint_remove.yaml b/docs/rules/os/os_password_hint_remove.yaml index cb7a122..89de3aa 100644 --- a/docs/rules/os/os_password_hint_remove.yaml +++ b/docs/rules/os/os_password_hint_remove.yaml @@ -9,7 +9,7 @@ result: fix: | [source,bash] ---- - for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do /usr/bin/dscl . -delete /Users/$u hint done ---- @@ -17,7 +17,7 @@ references: cce: - CCE-91110-7 cci: - - N/A + - N/A 800-53r5: - IA-6 800-53r4: @@ -36,4 +36,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_password_proximity_disable.yaml b/docs/rules/os/os_password_proximity_disable.yaml index 52b1d5e..7023838 100644 --- a/docs/rules/os/os_password_proximity_disable.yaml +++ b/docs/rules/os/os_password_proximity_disable.yaml @@ -1,8 +1,8 @@ id: os_password_proximity_disable title: "Disable Proximity Based Password Sharing Requests" discussion: | - Proximity based password sharing requests _MUST_ be disabled. - + Proximity based password sharing requests _MUST_ be disabled. + The default behavior of macOS is to allow users to request passwords from other known devices (macOS and iOS). This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/docs/rules/os/os_password_sharing_disable.yaml b/docs/rules/os/os_password_sharing_disable.yaml index 6111a69..9f40385 100644 --- a/docs/rules/os/os_password_sharing_disable.yaml +++ b/docs/rules/os/os_password_sharing_disable.yaml @@ -1,8 +1,8 @@ id: os_password_sharing_disable title: "Disable Password Sharing" discussion: | - Password Sharing _MUST_ be disabled. - + Password Sharing _MUST_ be disabled. + The default behavior of macOS is to allow users to share a password over Airdrop between other macOS and iOS devices. This feature _MUST_ be disabled to prevent passwords from being shared. check: | /usr/bin/osascript -l JavaScript << EOS diff --git a/docs/rules/os/os_peripherals_identify.yaml b/docs/rules/os/os_peripherals_identify.yaml index 9b727a2..38cc581 100644 --- a/docs/rules/os/os_peripherals_identify.yaml +++ b/docs/rules/os/os_peripherals_identify.yaml @@ -2,7 +2,7 @@ id: os_peripherals_identify title: The macOS system must uniquely identify peripherals before establishing a connection. discussion: | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - + Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -22,7 +22,7 @@ references: disa_stig: - N/A 800-171r2: - - N/A + - N/A macOS: - "12.0" tags: diff --git a/docs/rules/os/os_policy_banner_loginwindow_enforce.yaml b/docs/rules/os/os_policy_banner_loginwindow_enforce.yaml index 46d0f3c..cb51fba 100644 --- a/docs/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/docs/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -2,32 +2,32 @@ id: os_policy_banner_loginwindow_enforce title: "Display Policy Banner at Login Window" discussion: | Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - + System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. - + The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. - NOTE: + NOTE: The banner text of the document _MUST_ read: "You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." check: | /bin/ls -ld /Library/Security/PolicyBanner.rtf* | /usr/bin/wc -l | /usr/bin/tr -d ' ' -result: +result: integer: 1 fix: | [source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." /bin/mkdir /Library/Security/PolicyBanner.rtf - /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtf/TXT.rtf -stdin < /etc/banner - ---- + ---- references: cce: - CCE-90974-7 - cci: + cci: - CCI-000048 800-53r5: - AC-8 - 800-53r4: + 800-53r4: - AC-8 srg: - SRG-OS-000023-GPOS-00006 @@ -35,15 +35,15 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_policy_banner_ssh_enforce.yaml b/docs/rules/os/os_policy_banner_ssh_enforce.yaml index d60e6c6..b823cb3 100644 --- a/docs/rules/os/os_policy_banner_ssh_enforce.yaml +++ b/docs/rules/os/os_policy_banner_ssh_enforce.yaml @@ -1,7 +1,7 @@ id: os_policy_banner_ssh_enforce title: "Enforce SSH to Display Policy Banner" discussion: | - SSH _MUST_ be configured to display a policy banner. + SSH _MUST_ be configured to display a policy banner. Displaying a standardized and approved use notification before granting access to the operating system ensures that users are provided with privacy and security notification verbiage that is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -9,7 +9,7 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^Banner /etc/banner" /etc/ssh/sshd_config + /usr/bin/grep -c "^Banner /etc/banner" /etc/ssh/sshd_config result: integer: 1 fix: | @@ -20,12 +20,12 @@ fix: | references: cce: - CCE-90975-4 - cci: + cci: - CCI-000048 - CCI-000050 800-53r5: - AC-8 - 800-53r4: + 800-53r4: - AC-8 srg: - SRG-OS-000023-GPOS-00006 @@ -37,15 +37,15 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_prevent_priv_execution.yaml b/docs/rules/os/os_prevent_priv_execution.yaml index 574a99a..ef60c4a 100644 --- a/docs/rules/os/os_prevent_priv_execution.yaml +++ b/docs/rules/os/os_prevent_priv_execution.yaml @@ -3,8 +3,8 @@ title: "Prevent Software From Executing at Higher Privilege Levels than Users Ex discussion: | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. - + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. @@ -24,7 +24,7 @@ references: srg: - N/A 800-171r2: - - 3.1.7 + - 3.1.7 macOS: - "12.0" tags: diff --git a/docs/rules/os/os_prevent_priv_functions.yaml b/docs/rules/os/os_prevent_priv_functions.yaml index f1c593d..fbee4a7 100644 --- a/docs/rules/os/os_prevent_priv_functions.yaml +++ b/docs/rules/os/os_prevent_priv_functions.yaml @@ -1,11 +1,11 @@ id: os_prevent_priv_functions title: "Configure the System to Block Non-Privileged Users from Executing Privileged Functions" discussion: | - The information system _IS_ configured to block standard users from executing privileged functions. + The information system _IS_ configured to block standard users from executing privileged functions. - Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. - - The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. + Privileged functions include disabling, circumventing, or altering implemented security safeguards and countermeasures. + + The inherent configuration of the macOS does not allow for non-privileged users to be able to execute functions requiring privilege. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html[] check: | diff --git a/docs/rules/os/os_prevent_unauthorized_disclosure.yaml b/docs/rules/os/os_prevent_unauthorized_disclosure.yaml index 2262012..1959e24 100644 --- a/docs/rules/os/os_prevent_unauthorized_disclosure.yaml +++ b/docs/rules/os/os_prevent_unauthorized_disclosure.yaml @@ -1,9 +1,9 @@ id: os_prevent_unauthorized_disclosure title: "Configure the System to Prevent the Unauthorized Disclosure of Data via Shared Resources" discussion: | - The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. - - The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. + The information system _IS_ configured to ensure that the unauthorized disclosure of data does not occur when resources are shared. + + The inherent configuration of the macOS does not allow for resources to be shared between users without authorization. link:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html[] check: | diff --git a/docs/rules/os/os_privacy_setup_prompt_disable.yaml b/docs/rules/os/os_privacy_setup_prompt_disable.yaml index 8fedda7..b9061f9 100644 --- a/docs/rules/os/os_privacy_setup_prompt_disable.yaml +++ b/docs/rules/os/os_privacy_setup_prompt_disable.yaml @@ -21,12 +21,12 @@ references: 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002036 cis: benchmark: @@ -43,4 +43,4 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.SetupAssistant.managed: - SkipPrivacySetup: true \ No newline at end of file + SkipPrivacySetup: true diff --git a/docs/rules/os/os_prohibit_remote_activation_collab_devices.yaml b/docs/rules/os/os_prohibit_remote_activation_collab_devices.yaml index 84e10f1..0107f51 100644 --- a/docs/rules/os/os_prohibit_remote_activation_collab_devices.yaml +++ b/docs/rules/os/os_prohibit_remote_activation_collab_devices.yaml @@ -2,13 +2,13 @@ id: os_prohibit_remote_activation_collab_devices title: "Prohibit Remote Activation of Collaborative Computing Devices" discussion: | The inherent configuration of the macOS _IS_ in compliance. - + Apple has implemented a green light physically next to your camera that will glow when the camera is activated. There is an orange dot indicator by the Control Center pull down menu item to indicate when the system's microphone is listening or activated. The macOS has built into the system, the ability to grant or deny access to the camera and microphone which requires the application to have an entitlement to use the device. - + link:https://support.apple.com/guide/mac-help/use-the-built-in-camera-mchlp2980/mac[] - + link:https://support.apple.com/guide/mac-help/control-access-to-your-camera-mchlf6d108da/mac[] link:https://support.apple.com/guide/mac-help/control-access-to-your-microphone-on-mac-mchla1b1e1fe/12.0/mac/12.0[] diff --git a/docs/rules/os/os_protect_dos_attacks.yaml b/docs/rules/os/os_protect_dos_attacks.yaml index e13738a..5503893 100644 --- a/docs/rules/os/os_protect_dos_attacks.yaml +++ b/docs/rules/os/os_protect_dos_attacks.yaml @@ -1,9 +1,9 @@ id: os_protect_dos_attacks title: "Protect Against Denial of Service Attacks by Ensuring Rate-Limiting Measures on Network Interfaces" discussion: | - The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. - - DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. + The macOS should be configured to prevent Denial of Service (DoS) attacks by enforcing rate-limiting measures on network interfaces. + + DoS attacks leave authorized users unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. When this occurs, the organization must operate at degraded capacity; often resulting in an inability to accomplish its mission. To prevent DoS attacks by ensuring rate-limiting measures on network interfaces, many operating systems can be integrated with enterprise-level firewalls and networking equipment that meet or exceed this requirement. check: | diff --git a/docs/rules/os/os_provide_automated_account_management.yaml b/docs/rules/os/os_provide_automated_account_management.yaml index 304b00b..7ad7c80 100644 --- a/docs/rules/os/os_provide_automated_account_management.yaml +++ b/docs/rules/os/os_provide_automated_account_management.yaml @@ -4,7 +4,7 @@ discussion: | The organization should employ automated mechanisms to support the management of information system accounts. The use of automated mechanisms prevents against human error and provide a faster and more efficient means of relaying time-sensitive information and account management. - + To employ automated mechanisms for account management functions, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/docs/rules/os/os_reauth_devices_change_authenticators.yaml b/docs/rules/os/os_reauth_devices_change_authenticators.yaml index ddda738..300e7cb 100644 --- a/docs/rules/os/os_reauth_devices_change_authenticators.yaml +++ b/docs/rules/os/os_reauth_devices_change_authenticators.yaml @@ -1,8 +1,8 @@ id: os_reauth_devices_change_authenticators title: "Require Devices to Reauthenticate when Changing Authenticators" discussion: | - The macOS should be configured to require users to reauthenticate when the device authenticator is changed. - + The macOS should be configured to require users to reauthenticate when the device authenticator is changed. + Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate. check: | The technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/docs/rules/os/os_recovery_lock_enable.yaml b/docs/rules/os/os_recovery_lock_enable.yaml index aaeeb30..2705c50 100644 --- a/docs/rules/os/os_recovery_lock_enable.yaml +++ b/docs/rules/os/os_recovery_lock_enable.yaml @@ -1,14 +1,14 @@ id: os_recovery_lock_enable title: "Enable Recovery Lock" discussion: | - A recovery lock password _MUST_ be enabled and set. + A recovery lock password _MUST_ be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. NOTE: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockedEnabled = 1" -result: +result: integer: 1 fix: | NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password. @@ -30,13 +30,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - arm64 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_removable_media_disable.yaml b/docs/rules/os/os_removable_media_disable.yaml index ac91ee8..ae05203 100644 --- a/docs/rules/os/os_removable_media_disable.yaml +++ b/docs/rules/os/os_removable_media_disable.yaml @@ -2,9 +2,9 @@ id: os_removable_media_disable title: "Disable Removable Storage Devices" discussion: | Removable media, such as USB connected external hard drives, thumb drives, and optical media, _MUST_ be disabled for users. - + Disabling removable storage devices reduces the risks and known vulnerabilities of such devices (e.g., malicious code insertion) - + [IMPORTANT] ==== Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. @@ -26,12 +26,12 @@ fix: | references: cce: - CCE-90991-1 - cci: + cci: - CCI-000366 - CCI-001967 800-53r5: - MP-7 - 800-53r4: + 800-53r4: - MP-7(1) srg: - SRG-OS-000480-GPOS-00227 @@ -49,7 +49,7 @@ mobileconfig: true mobileconfig_info: com.apple.systemuiserver: mount-controls: - harddisk-external: + harddisk-external: - alert - eject - + diff --git a/docs/rules/os/os_required_crypto_module.yaml b/docs/rules/os/os_required_crypto_module.yaml index 9f183c9..f9f92d4 100644 --- a/docs/rules/os/os_required_crypto_module.yaml +++ b/docs/rules/os/os_required_crypto_module.yaml @@ -2,13 +2,13 @@ id: os_required_crypto_module title: "Ensure all Federal Laws, Executive Orders, Directives, Policies, Regulations, Standards, and Guidance for Authentication to a Cryptographic Module are Met" discussion: | The inherent configuration of the macOS _IS_ in compliance by implementing mechanisms for authentication to a cryptographic module that meet the requirements of all applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication - + macOS contains many open source projects that may use their own cryptographic libraries typically for the purposes of maintaining platform independence. These services are not covered by the Apple FIPS Validation of the CoreCrypto and CoreCrypto Kernel modules. macOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation. link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] - + link:https://support.apple.com/en-us/HT201159[] check: | The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. diff --git a/docs/rules/os/os_root_disable.yaml b/docs/rules/os/os_root_disable.yaml index a9ad055..b66f90c 100644 --- a/docs/rules/os/os_root_disable.yaml +++ b/docs/rules/os/os_root_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Root Login" discussion: | To assure individual accountability and prevent unauthorized access, logging in as root at the login window _MUST_ be disabled. - The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. + The macOS system _MUST_ require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. check: | /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" result: @@ -17,7 +17,7 @@ references: cce: - CCE-90994-5 cci: - - N/A + - N/A 800-53r5: - IA-2 - IA-2(5) @@ -47,4 +47,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_safari_open_safe_downloads_disable.yaml b/docs/rules/os/os_safari_open_safe_downloads_disable.yaml index fe9b406..6619b30 100644 --- a/docs/rules/os/os_safari_open_safe_downloads_disable.yaml +++ b/docs/rules/os/os_safari_open_safe_downloads_disable.yaml @@ -1,7 +1,7 @@ id: os_safari_open_safe_downloads_disable title: "Disable Automatic Opening of Safe Files in Safari" discussion: | - Open "safe" files after downloading _MUST_ be disabled in Safari. + Open "safe" files after downloading _MUST_ be disabled in Safari. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutoOpenSafeDownloads = 0' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: diff --git a/docs/rules/os/os_screensaver_loginwindow_enforce.yaml b/docs/rules/os/os_screensaver_loginwindow_enforce.yaml index 5c4f865..0ab1930 100644 --- a/docs/rules/os/os_screensaver_loginwindow_enforce.yaml +++ b/docs/rules/os/os_screensaver_loginwindow_enforce.yaml @@ -29,11 +29,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "low" diff --git a/docs/rules/os/os_secure_boot_verify.yaml b/docs/rules/os/os_secure_boot_verify.yaml index 76cf3b3..51d022f 100644 --- a/docs/rules/os/os_secure_boot_verify.yaml +++ b/docs/rules/os/os_secure_boot_verify.yaml @@ -3,12 +3,12 @@ title: "Ensure Secure Boot Level Set to Full" discussion: | The Secure Boot security setting _MUST_ be set to full. - Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. + Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" -result: +result: integer: 1 fix: | NOTE: Boot into Recovery Mode and enable Full Secure Boot @@ -35,4 +35,4 @@ tags: - 800-53r5_moderate - 800-53r4_high mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_secure_enclave.yaml b/docs/rules/os/os_secure_enclave.yaml index 757c9b3..6e2b815 100644 --- a/docs/rules/os/os_secure_enclave.yaml +++ b/docs/rules/os/os_secure_enclave.yaml @@ -2,9 +2,9 @@ id: os_secure_enclave title: "Protected Storage for Cryptographic Keys" discussion: | A system _IS_ configured to provide protected storage for cryptographic keys either by hardware protected key store or an organizationally defined safeguard. - + Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. - + link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. @@ -13,7 +13,7 @@ check: | result: integer: 0 fix: | - The hardware does not support the requirement. + The hardware does not support the requirement. references: cce: - CCE-90997-8 diff --git a/docs/rules/os/os_separate_functionality.yaml b/docs/rules/os/os_separate_functionality.yaml index 83b904c..9db6353 100644 --- a/docs/rules/os/os_separate_functionality.yaml +++ b/docs/rules/os/os_separate_functionality.yaml @@ -1,11 +1,11 @@ id: os_separate_functionality title: "Configure the System to Separate User and System Functionality" discussion: | - The information system _IS_ configured to separate user and system functionality. - - Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. - - The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. + The information system _IS_ configured to separate user and system functionality. + + Operating system management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges. Operating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access. + + The inherent configuration of the macOS allows only privileged users to access operating system management functionalities. link:https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html[] check: | diff --git a/docs/rules/os/os_show_filename_extensions_enable.yaml b/docs/rules/os/os_show_filename_extensions_enable.yaml index d9496a5..82ec693 100644 --- a/docs/rules/os/os_show_filename_extensions_enable.yaml +++ b/docs/rules/os/os_show_filename_extensions_enable.yaml @@ -2,8 +2,8 @@ id: os_show_filename_extensions_enable title: "Enable Show All Filename Extensions" discussion: | Show all filename extensions _MUST_ be enabled in the Finder. - - [NOTE] + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -47,4 +47,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sip_enable.yaml b/docs/rules/os/os_sip_enable.yaml index cbeeb39..8cb37df 100644 --- a/docs/rules/os/os_sip_enable.yaml +++ b/docs/rules/os/os_sip_enable.yaml @@ -1,8 +1,8 @@ id: os_sip_enable title: "Ensure System Integrity Protection is Enabled" discussion: | - System Integrity Protection (SIP) _MUST_ be enabled. - + System Integrity Protection (SIP) _MUST_ be enabled. + SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents non-privileged users from granting other users direct access to the contents of their home directories and folders. NOTE: SIP is enabled by default in macOS. @@ -19,7 +19,7 @@ fix: | references: cce: - CCE-91000-0 - cci: + cci: - CCI-000154 - CCI-000158 - CCI-000169 @@ -45,7 +45,7 @@ references: - SI-2 - SI-7 800-53r4: - - AC-3 + - AC-3 - AU-6(4) - AU-7(1) - AU-7 @@ -89,13 +89,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - cis_lvl1 @@ -103,4 +103,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_siri_prompt_disable.yaml b/docs/rules/os/os_siri_prompt_disable.yaml index 22b19f0..1ac6243 100644 --- a/docs/rules/os/os_siri_prompt_disable.yaml +++ b/docs/rules/os/os_siri_prompt_disable.yaml @@ -23,7 +23,7 @@ references: - AC-20 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -44,13 +44,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/os/os_skip_screen_time_prompt_enable.yaml b/docs/rules/os/os_skip_screen_time_prompt_enable.yaml index 541481a..99ce370 100644 --- a/docs/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/docs/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -1,7 +1,7 @@ id: os_skip_screen_time_prompt_enable title: "Disable Screen Time Prompt During Setup Assistant" -discussion: - The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. +discussion: + The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91113-1 - cci: + cci: - CCI-000381 800-53r5: - CM-7 diff --git a/docs/rules/os/os_skip_unlock_with_watch_enable.yaml b/docs/rules/os/os_skip_unlock_with_watch_enable.yaml index d9be6cb..4d588ea 100644 --- a/docs/rules/os/os_skip_unlock_with_watch_enable.yaml +++ b/docs/rules/os/os_skip_unlock_with_watch_enable.yaml @@ -1,10 +1,10 @@ id: os_skip_unlock_with_watch_enable title: "Disable Unlock with Apple Watch During Setup Assistant" discussion: | - The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled. - + The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled. + Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ .objectForKey('SkipUnlockWithWatch').js @@ -20,7 +20,7 @@ references: - CCI-000381 800-53r5: - AC-20 - 800-53r4: + 800-53r4: - AC-20 srg: - SRG-OS-000095-GPOS-00049 @@ -32,19 +32,19 @@ references: benchmark: - N/A controls v8: - - 4.1 + - 4.1 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - - cisv8 + - cisv8 - stig severity: "medium" mobileconfig: true diff --git a/docs/rules/os/os_ssh_fips_compliant.yaml b/docs/rules/os/os_ssh_fips_compliant.yaml index 8205d76..8bf7938 100644 --- a/docs/rules/os/os_ssh_fips_compliant.yaml +++ b/docs/rules/os/os_ssh_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -32,11 +32,11 @@ fix: | PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" /bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config - ---- + ---- references: cce: - CCE-91003-4 - cci: + cci: - CCI-000087 - CCI-000068 - CCI-000803 @@ -47,7 +47,7 @@ references: - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) @@ -72,4 +72,4 @@ tags: - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_ssh_server_alive_count_max_configure.yaml b/docs/rules/os/os_ssh_server_alive_count_max_configure.yaml index e196534..bf8a080 100644 --- a/docs/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/docs/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91005-9 - cci: + cci: - N/A 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -38,4 +38,4 @@ tags: - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_ssh_server_alive_interval_configure.yaml b/docs/rules/os/os_ssh_server_alive_interval_configure.yaml index 0b77635..b71ffc5 100644 --- a/docs/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/docs/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_ssh_server_alive_interval_configure title: "Configure SSH ServerAliveInterval option set to 900 or less" discussion: | - SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. - + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. + Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-91006-7 - cci: + cci: - N/A 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - N/A @@ -41,4 +41,4 @@ tags: - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_client_alive_count_max_configure.yaml b/docs/rules/os/os_sshd_client_alive_count_max_configure.yaml index 31bcd35..45b5368 100644 --- a/docs/rules/os/os_sshd_client_alive_count_max_configure.yaml +++ b/docs/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91007-5 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -31,13 +31,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate + - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate + - 800-53r4_moderate - 800-53r4_high - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_client_alive_interval_configure.yaml b/docs/rules/os/os_sshd_client_alive_interval_configure.yaml index df0575a..bceb686 100644 --- a/docs/rules/os/os_sshd_client_alive_interval_configure.yaml +++ b/docs/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,8 +1,8 @@ id: os_sshd_client_alive_interval_configure title: "Configure SSHD ClientAliveInterval option set to 900 or less" discussion: | - If SSHD is enabled then it _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. - + If SSHD is enabled then it _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. + Setting the Active Client Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-91008-3 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - AC-12 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -36,11 +36,11 @@ macOS: tags: - 800-53r5_moderate - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high + - 800-53r4_moderate + - 800-53r4_high - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_fips_140_ciphers.yaml b/docs/rules/os/os_sshd_fips_140_ciphers.yaml index c7268d1..744ff31 100644 --- a/docs/rules/os/os_sshd_fips_140_ciphers.yaml +++ b/docs/rules/os/os_sshd_fips_140_ciphers.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | @@ -20,7 +20,7 @@ fix: | references: cce: - CCE-91114-9 - cci: + cci: - CCI-000803 - CCI-000068 - CCI-003123 @@ -30,20 +30,20 @@ references: - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 - MA-4(6) - srg: + srg: - SRG-OS-000033-GPOS-00014 - SRG-OS-000120-GPOS-00061 - SRG-OS-000125-GPOS-00065 - SRG-OS-000250-GPOS-00093 - SRG-OS-000393-GPOS-00173 - SRG-OS-000394-GPOS-00174 - disa_stig: + disa_stig: - APPL-12-000054 800-171r2: - 3.1.13 @@ -55,4 +55,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_fips_140_macs.yaml b/docs/rules/os/os_sshd_fips_140_macs.yaml index fd7cfaf..aaa4cd5 100644 --- a/docs/rules/os/os_sshd_fips_140_macs.yaml +++ b/docs/rules/os/os_sshd_fips_140_macs.yaml @@ -4,8 +4,8 @@ discussion: | If SSHD is enabled then it _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. - - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | @@ -20,7 +20,7 @@ fix: | references: cce: - CCE-91115-6 - cci: + cci: - CCI-000068 - CCI-000803 - CCI-003123 @@ -30,20 +30,20 @@ references: - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 - MA-4(6) - srg: + srg: - SRG-OS-000033-GPOS-00014 - SRG-OS-000120-GPOS-00061 - SRG-OS-000125-GPOS-00065 - SRG-OS-000250-GPOS-00093 - SRG-OS-000393-GPOS-00173 - SRG-OS-000394-GPOS-00174 - disa_stig: + disa_stig: - APPL-12-000055 800-171r2: - 3.1.13 @@ -55,4 +55,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_fips_compliant.yaml b/docs/rules/os/os_sshd_fips_compliant.yaml index 0820e07..6c4872d 100644 --- a/docs/rules/os/os_sshd_fips_compliant.yaml +++ b/docs/rules/os/os_sshd_fips_compliant.yaml @@ -5,7 +5,7 @@ discussion: | FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. check: | @@ -29,12 +29,12 @@ fix: | MACs hmac-sha2-256 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256" - /bin/echo "${fips_sshd_config}" > /etc/ssh/sshd_config.d/fips_sshd_config - ---- + /bin/echo "${fips_sshd_config}" > /etc/ssh/sshd_config.d/fips_sshd_config + ---- references: cce: - CCE-91010-9 - cci: + cci: - CCI-000087 - CCI-000068 - CCI-000803 @@ -45,7 +45,7 @@ references: - IA-7 - SC-13 - SC-8(1) - 800-53r4: + 800-53r4: - AC-17(2) - IA-7 - SC-8(1) @@ -72,4 +72,4 @@ tags: - cnssi-1253 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_key_exchange_algorithm_configure.yaml b/docs/rules/os/os_sshd_key_exchange_algorithm_configure.yaml index cec0329..98370bc 100644 --- a/docs/rules/os/os_sshd_key_exchange_algorithm_configure.yaml +++ b/docs/rules/os/os_sshd_key_exchange_algorithm_configure.yaml @@ -22,7 +22,7 @@ fix: | references: cce: - CCE-91011-7 - cci: + cci: - CCI-000803 - CCI-000068 - CCI-000087 @@ -32,7 +32,7 @@ references: - AC-17(2) - IA-7 - MA-4(6) - 800-53r4: + 800-53r4: - IA-7 - AC-17(2) - MA-4(6) @@ -50,14 +50,14 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate - 800-53r4_high - cnssi-1253 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_login_grace_time_configure.yaml b/docs/rules/os/os_sshd_login_grace_time_configure.yaml index 1dd0b85..bb29695 100644 --- a/docs/rules/os/os_sshd_login_grace_time_configure.yaml +++ b/docs/rules/os/os_sshd_login_grace_time_configure.yaml @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91012-5 - cci: + cci: - CCI-001133 800-53r5: - SC-10 - 800-53r4: + 800-53r4: - SC-10 srg: - SRG-OS-000163-GPOS-00072 @@ -34,4 +34,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sshd_permit_root_login_configure.yaml b/docs/rules/os/os_sshd_permit_root_login_configure.yaml index 9e7d803..a7a66c4 100644 --- a/docs/rules/os/os_sshd_permit_root_login_configure.yaml +++ b/docs/rules/os/os_sshd_permit_root_login_configure.yaml @@ -1,10 +1,10 @@ id: os_sshd_permit_root_login_configure title: "Disable Root Login for SSH" discussion: | - If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. - - The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. - + If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. + + The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root. + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | /usr/bin/grep -c "^PermitRootLogin no" /etc/ssh/sshd_config @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-91013-3 - cci: + cci: - CCI-000770 800-53r5: - IA-2(5) - 800-53r4: + 800-53r4: - IA-2(5) srg: - SRG-OS-000109-GPOS-00056 @@ -31,9 +31,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_high - - 800-53r4_high + - 800-53r5_high + - 800-53r4_high - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sudo_timeout_configure.yaml b/docs/rules/os/os_sudo_timeout_configure.yaml index 8ec1e88..4a42af9 100644 --- a/docs/rules/os/os_sudo_timeout_configure.yaml +++ b/docs/rules/os/os_sudo_timeout_configure.yaml @@ -33,12 +33,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - cis_lvl1 - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sudoers_timestamp_type_configure.yaml b/docs/rules/os/os_sudoers_timestamp_type_configure.yaml index 790abd8..056786e 100644 --- a/docs/rules/os/os_sudoers_timestamp_type_configure.yaml +++ b/docs/rules/os/os_sudoers_timestamp_type_configure.yaml @@ -35,12 +35,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - cis_lvl1 - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_sudoers_tty_configure.yaml b/docs/rules/os/os_sudoers_tty_configure.yaml index f68ce90..2c92118 100644 --- a/docs/rules/os/os_sudoers_tty_configure.yaml +++ b/docs/rules/os/os_sudoers_tty_configure.yaml @@ -35,9 +35,9 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -45,4 +45,4 @@ tags: - stig severity: "high" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_system_read_only.yaml b/docs/rules/os/os_system_read_only.yaml index e869423..5b0a74c 100644 --- a/docs/rules/os/os_system_read_only.yaml +++ b/docs/rules/os/os_system_read_only.yaml @@ -6,10 +6,10 @@ discussion: | NOTE: The system volume is read only by default in macOS. check: | /usr/sbin/system_profiler SPStorageDataType | /usr/bin/awk '/Mount Point: \/$/{x=NR+2}(NR==x){print $2}' -result: +result: string: "No" fix: | - NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. + NOTE: To remount the System volume as Read Only, rebooting the computer will mount it as Read Only. references: cce: - CCE-91016-6 @@ -34,4 +34,4 @@ tags: - 800-53r4_moderate - 800-53r4_high mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_terminal_secure_keyboard_enable.yaml b/docs/rules/os/os_terminal_secure_keyboard_enable.yaml index f4a830b..7a535bf 100644 --- a/docs/rules/os/os_terminal_secure_keyboard_enable.yaml +++ b/docs/rules/os/os_terminal_secure_keyboard_enable.yaml @@ -1,7 +1,7 @@ id: os_terminal_secure_keyboard_enable title: "Ensure Secure Keyboard Entry Terminal.app is Enabled" discussion: | - Secure keyboard entry _MUST_ be enabled in Terminal.app. + Secure keyboard entry _MUST_ be enabled in Terminal.app. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.Terminal')\ @@ -22,8 +22,8 @@ references: - N/A srg: - N/A - cci: - - N/A + cci: + - N/A 800-171r2: - N/A cis: diff --git a/docs/rules/os/os_tftpd_disable.yaml b/docs/rules/os/os_tftpd_disable.yaml index 99f5d45..b004af7 100644 --- a/docs/rules/os/os_tftpd_disable.yaml +++ b/docs/rules/os/os_tftpd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Trivial File Tansfer Protocol Service" discussion: | If the system does not require Trivial File Tansfer Protocol (TFTP), support it is non-essential and _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. + The information system _MUST_ be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and the unauthorized transfer of information. NOTE: TFTP service is disabled at startup by default macOS. check: | @@ -19,7 +19,7 @@ fix: | references: cce: - CCE-91018-2 - cci: + cci: - CCI-000197 800-53r5: - AC-3 @@ -45,16 +45,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig severity: "high" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_time_offset_limit_configure.yaml b/docs/rules/os/os_time_offset_limit_configure.yaml index 100ae51..d4c001e 100644 --- a/docs/rules/os/os_time_offset_limit_configure.yaml +++ b/docs/rules/os/os_time_offset_limit_configure.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-91119-8 - cci: - - N/A + cci: + - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A diff --git a/docs/rules/os/os_time_server_enabled.yaml b/docs/rules/os/os_time_server_enabled.yaml index 80f6de1..fc3956c 100644 --- a/docs/rules/os/os_time_server_enabled.yaml +++ b/docs/rules/os/os_time_server_enabled.yaml @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-91019-0 - cci: + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 @@ -39,12 +39,12 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate + - 800-171 + - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate - 800-53r4_high - cisv8 - stig diff --git a/docs/rules/os/os_touchid_prompt_disable.yaml b/docs/rules/os/os_touchid_prompt_disable.yaml index b068ba7..409e22d 100644 --- a/docs/rules/os/os_touchid_prompt_disable.yaml +++ b/docs/rules/os/os_touchid_prompt_disable.yaml @@ -18,9 +18,9 @@ references: - CCE-91020-8 cci: - CCI-000381 - 800-53r5: + 800-53r5: - CM-6 - 800-53r4: + 800-53r4: - CM-6 srg: - SRG-OS-000095-GPOS-00049 diff --git a/docs/rules/os/os_unlock_active_user_session_disable.yaml b/docs/rules/os/os_unlock_active_user_session_disable.yaml index b2fc530..59614e4 100644 --- a/docs/rules/os/os_unlock_active_user_session_disable.yaml +++ b/docs/rules/os/os_unlock_active_user_session_disable.yaml @@ -1,8 +1,8 @@ id: os_unlock_active_user_session_disable title: "Disable Login to Other User's Active and Locked Sessions" discussion: | - The ability to log in to another user's active or locked session _MUST_ be disabled. - + The ability to log in to another user's active or locked session _MUST_ be disabled. + macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. check: | /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui' @@ -51,4 +51,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_user_app_installation_prohibit.yaml b/docs/rules/os/os_user_app_installation_prohibit.yaml index 36a119b..652851d 100644 --- a/docs/rules/os/os_user_app_installation_prohibit.yaml +++ b/docs/rules/os/os_user_app_installation_prohibit.yaml @@ -1,8 +1,8 @@ id: os_user_app_installation_prohibit title: "Prohibit User Installation of Software into /Users/" discussion: | - Users _MUST_ not be allowed to install software into /Users/. - + Users _MUST_ not be allowed to install software into /Users/. + Allowing regular users to install software, without explicit privileges, presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. check: | /usr/bin/osascript -l JavaScript << EOS @@ -45,5 +45,5 @@ mobileconfig: true mobileconfig_info: com.apple.applicationaccess.new: familyControlsEnabled: true - pathBlackList: + pathBlackList: - "/Users/" diff --git a/docs/rules/os/os_uucp_disable.yaml b/docs/rules/os/os_uucp_disable.yaml index 3e71cbe..dcd721c 100644 --- a/docs/rules/os/os_uucp_disable.yaml +++ b/docs/rules/os/os_uucp_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Unix-to-Unix Copy Protocol Service" discussion: | The system _MUST_ not have the Unix-to-Unix Copy Protocol (UUCP) service active. - UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. + UUCP, a set of programs that enable the sending of files between different UNIX systems as well as sending commands to be executed on another system, is not essential and _MUST_ be disabled in order to prevent the unauthorized connection of devices, transfer of information, and tunneling. NOTE: UUCP service is disabled at startup by default macOS. check: | @@ -43,16 +43,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/os/os_world_writable_system_folder_configure.yaml b/docs/rules/os/os_world_writable_system_folder_configure.yaml index 0417327..bc7c6be 100644 --- a/docs/rules/os/os_world_writable_system_folder_configure.yaml +++ b/docs/rules/os/os_world_writable_system_folder_configure.yaml @@ -41,4 +41,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_50_percent.yaml b/docs/rules/pwpolicy/pwpolicy_50_percent.yaml index 58ea9d0..b769514 100644 --- a/docs/rules/pwpolicy/pwpolicy_50_percent.yaml +++ b/docs/rules/pwpolicy/pwpolicy_50_percent.yaml @@ -1,11 +1,11 @@ id: pwpolicy_50_percent title: "Require a Minimum of Fifty Percent Character Change in New Passwords" discussion: | - The macOS should be configured to require users to change at least 50% of the characters when setting a new password. - + The macOS should be configured to require users to change at least 50% of the characters when setting a new password. + If the operating system allows users to consecutively reuse extensive portions of passwords, this increases the window of opportunity for a malicious user to guess the password. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. - - To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. + + To enforce a 50% character change when new passwords are created, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | The technology does not support this requirement. This is an applicable-does not meet finding. fix: | @@ -42,4 +42,4 @@ tags: - 800-53r4_high - permanent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index b1ec3fc..9fec697 100644 --- a/docs/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -1,7 +1,7 @@ id: pwpolicy_60_day_enforce title: "Restrict Maximum Password Lifetime to 60 Days" discussion: | - The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. + The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-91027-3 - cci: + cci: - CCI-000199 800-53r5: - IA-5 - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) srg: @@ -44,13 +44,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cisv8 - stig diff --git a/docs/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml index 2cc4804..f2c73ed 100644 --- a/docs/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml @@ -3,16 +3,16 @@ title: "Disable Accounts after 35 Days of Inactivity" discussion: | The macOS _MUST_ be configured to disable accounts after 35 days of inactivity. - This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. -check: | + This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. +check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeInactiveDays"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: integer: 35 fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the "policyCategoryAuthentication": - + [source,xml] ---- @@ -28,7 +28,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -37,7 +37,7 @@ fix: | references: cce: - CCE-91028-1 - cci: + cci: - CCI-000795 800-53r5: - AC-2(3) @@ -67,4 +67,4 @@ tags: - 800-53r5_high - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml index 89a5fd9..100bb4f 100644 --- a/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml @@ -3,7 +3,7 @@ title: "Limit Consecutive Failed Login Attempts to Three" discussion: | The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. - This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. + This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ @@ -20,7 +20,7 @@ references: - CCI-002238 800-53r5: - AC-7 - 800-53r4: + 800-53r4: - AC-7 srg: - SRG-OS-000329-GPOS-00128 @@ -36,13 +36,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cisv8 - stig diff --git a/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml index 88233d7..2b2f961 100644 --- a/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml +++ b/docs/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -3,7 +3,7 @@ title: "Limit Consecutive Failed Login Attempts to Five" discussion: | The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of five. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after. - This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. + This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ @@ -20,11 +20,11 @@ references: - N/A 800-53r5: - AC-7 - 800-53r4: + 800-53r4: - AC-7 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.1.8 diff --git a/docs/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml index 3af6e54..6549248 100644 --- a/docs/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml @@ -3,7 +3,7 @@ title: "Set Account Lockout Time to 15 Minutes" discussion: | The macOS _MUST_ be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached. - This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. + This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91030-7 - cci: + cci: - CCI-002238 800-53r5: - AC-7 - 800-53r4: + 800-53r4: - AC-7 srg: - SRG-OS-000329-GPOS-00128 @@ -36,13 +36,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cisv8 - stig diff --git a/docs/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 699fca1..eb09ea9 100644 --- a/docs/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -3,10 +3,10 @@ title: "Require Passwords Contain a Minimum of One Numeric Character" discussion: | The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('requireAlphanumeric').js @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-91031-5 - cci: + cci: - CCI-000194 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) srg: @@ -45,13 +45,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cis_lvl2 - cisv8 diff --git a/docs/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml b/docs/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml index c657b4b..4180d34 100644 --- a/docs/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml +++ b/docs/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml @@ -1,11 +1,11 @@ id: pwpolicy_emergency_accounts_disable title: "Automatically Remove or Disable Emergency Accounts within 72 Hours" discussion: | - The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. + The macOS is able to be configured to automatically remove or disable emergency accounts within 72 hours or less. Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. + Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. @@ -21,7 +21,7 @@ references: - N/A 800-53r5: - AC-2(2) - 800-53r4: + 800-53r4: - AC-2(2) srg: - N/A @@ -37,4 +37,4 @@ tags: - cnssi-1253 - inherent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_history_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_history_enforce.yaml index 4fcf0bd..62a909e 100644 --- a/docs/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -1,14 +1,14 @@ id: pwpolicy_history_enforce title: "Prohibit Password Reuse for a Minimum of Five Generations" discussion: | - The macOS _MUST_ be configured to enforce a password history of at least five previous passwords when a password is created. + The macOS _MUST_ be configured to enforce a password history of at least five previous passwords when a password is created. - This rule ensures that users are not allowed to re-use a password that was used in any of the five previous password generations. + This rule ensures that users are not allowed to re-use a password that was used in any of the five previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('pinHistory').js @@ -20,11 +20,11 @@ fix: | references: cce: - CCE-91034-9 - cci: + cci: - CCI-000200 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5(1) srg: - SRG-OS-000077-GPOS-00045 @@ -43,13 +43,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cisv8 - stig diff --git a/docs/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/docs/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index 19415f1..1274bfe 100644 --- a/docs/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/docs/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -1,9 +1,9 @@ id: pwpolicy_history_enforce_fifteen title: "Prohibit Password Reuse for a Minimum of Fifteen Generations" discussion: | - The macOS _MUST_ be configured to enforce a password history of at least fifteen previous passwords when a password is created. + The macOS _MUST_ be configured to enforce a password history of at least fifteen previous passwords when a password is created. - This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. + This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | @@ -18,15 +18,15 @@ fix: | references: cce: - CCE-91123-0 - cci: + cci: - N/A 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - 3.5.7 diff --git a/docs/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index f1f077c..fa3f5cc 100644 --- a/docs/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -2,8 +2,8 @@ id: pwpolicy_lower_case_character_enforce title: "Require Passwords Contain a Minimum of One Lowercase Character" discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. - - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | @@ -12,9 +12,9 @@ result: integer: 1 fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-91035-6 - cci: + cci: - CCI-000193 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -76,4 +76,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 247dd23..84e7a71 100644 --- a/docs/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -3,7 +3,7 @@ title: "Require a Minimum Password Length of 15 Characters" discussion: | The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-91036-4 - cci: + cci: - CCI-000205 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) srg: @@ -44,13 +44,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index dac5c63..8c968f2 100644 --- a/docs/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -6,15 +6,15 @@ discussion: | This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: integer: 24 fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require a minimum password lifetime, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-91037-2 - cci: + cci: - N/A - 800-53r5: + 800-53r5: - IA-5 - 800-53r4: + 800-53r4: - IA-5(1) disa_stig: - N/A @@ -72,4 +72,4 @@ tags: - 800-53r5_high - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml b/docs/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml index 42c9c7d..e6226b2 100644 --- a/docs/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml +++ b/docs/rules/pwpolicy/pwpolicy_prevent_dictionary_words.yaml @@ -1,10 +1,10 @@ id: pwpolicy_prevent_dictionary_words title: "Prevent the Use of Dictionary Words for Passwords" discussion: | - The macOS should be configured to forbid users to use dictionary words for passwords. - - If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. - + The macOS should be configured to forbid users to use dictionary words for passwords. + + If the operating system allows users to select passwords based on dictionary words, this increases the window of opportunity for a malicious user to guess the password. + To prevent users from using dictionary words for passwords, many operating systems can be integrated with an enterprise-level directory service that meets or exceeds this requirement. check: | For systems not requiring mandatory smart card authentication or those that are not bound to a directory, the technology does not support this requirement. This is an applicable-does not meet finding. diff --git a/docs/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/docs/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index 88f7611..e5d14a7 100644 --- a/docs/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/docs/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -6,7 +6,7 @@ discussion: | This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('allowSimple').js @@ -18,7 +18,7 @@ fix: | references: cce: - CCE-91039-8 - cci: + cci: - N/A 800-53r5: - IA-5(1) @@ -51,7 +51,7 @@ tags: - 800-53r4_high - 800-53r5_low - 800-53r5_moderate - - 800-53r5_high + - 800-53r5_high - cisv8 mobileconfig: true mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index d060025..2243302 100644 --- a/docs/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -4,11 +4,11 @@ discussion: | The macOS _MUST_ be configured to require at least one special character be used when a password is created. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. -check: | +check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ .objectForKey('minComplexChars').js @@ -20,11 +20,11 @@ fix: | references: cce: - CCE-91040-6 - cci: + cci: - CCI-001619 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) srg: @@ -46,13 +46,13 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - 800-171 + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cis_lvl2 - cisv8 diff --git a/docs/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml b/docs/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml index 8237aed..4e80720 100644 --- a/docs/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml +++ b/docs/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml @@ -1,7 +1,7 @@ id: pwpolicy_temporary_accounts_disable title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours" discussion: | - The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created. @@ -35,4 +35,4 @@ tags: - cnssi-1253 - inherent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml b/docs/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml index 9b3dc3f..811d938 100644 --- a/docs/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml +++ b/docs/rules/pwpolicy/pwpolicy_temporary_or_emergency_accounts_disable.yaml @@ -1,25 +1,25 @@ id: pwpolicy_temporary_or_emergency_accounts_disable title: "Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours" discussion: | - The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. - + The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary or emergency accounts upon account creation. + Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. + Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. - + If temporary or emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary or emergency accounts _MUST_ be set to 72 hours (or less) when the temporary or emergency account is created. If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. check: | - Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO). + Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO). - If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. + If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. If there are no temporary or emergency accounts defined on the system, this is Not Applicable. @@ -72,12 +72,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high - manual - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/docs/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index feb8f16..9b4008c 100644 --- a/docs/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/docs/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -3,8 +3,8 @@ title: "Require Passwords Contain a Minimum of One Uppercase Character" discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. - This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. - + This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' @@ -12,9 +12,9 @@ result: integer: 1 fix: | This setting may be enforced using local policy or by a directory service. - + To set local policy to require at least 1 lowercase letter, edit the current password policy to contain the following within the "policyCategoryPasswordContent": - + [source,xml] ---- @@ -30,7 +30,7 @@ fix: | ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -39,11 +39,11 @@ fix: | references: cce: - CCE-91043-0 - cci: + cci: - CCI-000192 800-53r5: - IA-5(1) - 800-53r4: + 800-53r4: - IA-5 - IA-5(1) disa_stig: @@ -76,4 +76,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/supplemental/supplemental_cis_manual.yaml b/docs/rules/supplemental/supplemental_cis_manual.yaml index ddee605..e6b5ed4 100644 --- a/docs/rules/supplemental/supplemental_cis_manual.yaml +++ b/docs/rules/supplemental/supplemental_cis_manual.yaml @@ -12,7 +12,7 @@ discussion: | |Recommendations |1.7 Audit Computer Name |=== - + [cols="15%h, 85%a"] |=== |Section @@ -82,9 +82,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -95,4 +95,4 @@ macOS: tags: - supplemental mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/supplemental/supplemental_controls.yaml b/docs/rules/supplemental/supplemental_controls.yaml index c25e3e2..8a5f22e 100644 --- a/docs/rules/supplemental/supplemental_controls.yaml +++ b/docs/rules/supplemental/supplemental_controls.yaml @@ -1,20 +1,20 @@ id: supplemental_controls title: "Out of Scope Supplemental" discussion: | - There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + There are several requirements defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5 that can be met by making configuration changes to the operating system. However, NIST SP 800-53 (Rev. 5) contains a broad set of guidelines that attempt to address all aspects of an information system or systems within an organization. Because the macOS Security Compliance Project is tailored specifically to macOS, some requirements defined in NIST SP 800-53 (Rev. 5) are not applicable. + + This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - This supplemental contains those controls that are assigned to a baseline in NIST SP 800-53 (Rev. 5) which cannot be addressed with a technical configuration for macOS. These controls can be accomplished though administrative or procedural processes within an organization or via integration of the macOS system into enterprise information systems which are configured to protect the systems within. - [cols="15%h, 85%a"] |=== |Family |Access Control (AC) - |Controls + |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-1[AC-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-2[AC-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-3[AC-3(14)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-14[AC-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-17[AC-17(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AC-22[AC-22] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -34,7 +34,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-1[AU-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-6[AU-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=AU-9[AU-9(2)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -44,7 +44,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-1[CA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-2[CA-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-3[CA-3(6)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-5[CA-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-6[CA-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-7[CA-7(4)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CA-9[CA-9] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -54,7 +54,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-1[CM-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4[CM-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-8[CM-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-10[CM-10], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-11[CM-11] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -64,7 +64,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-1[CP-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-2[CP-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-3[CP-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-4[CP-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-9[CP-9], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CP-10[CP-10] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -74,7 +74,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-1[IA-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(1)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(2)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(3)], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-8[IA-8(4)] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -84,7 +84,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-1[IR-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-2[IR-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-4[IR-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-5[IR-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-6[IR-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-7[IR-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IR-8[IR-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -114,7 +114,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-1[PE-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-2[PE-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-3[PE-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-6[PE-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-8[PE-8], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-12[PE-12], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-13[PE-13], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-14[PE-14], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-15[PE-15], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PE-16[PE-16] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -135,7 +135,7 @@ discussion: | |Controls |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-1[PS-1], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-2[PS-2], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-3[PS-3], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-4[PS-4], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-5[PS-5], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-6[PS-6], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-7[PS-7], link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=PS-8[PS-8] - |=== + |=== [cols="15%h, 85%a"] |=== @@ -181,9 +181,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/docs/rules/supplemental/supplemental_filevault.yaml b/docs/rules/supplemental/supplemental_filevault.yaml index b8831b7..0a3a440 100644 --- a/docs/rules/supplemental/supplemental_filevault.yaml +++ b/docs/rules/supplemental/supplemental_filevault.yaml @@ -5,13 +5,13 @@ discussion: | * sysprefs_filevault_enforce In macOS 11 the internal Apple File System (APFS) data volume can be protected by FileVault. The system volume is always cryptographically protected (T2 and Apple Silicon) and is a read-only volume. - + NOTE: FileVault uses an AES-XTS data encryption algorithm to protect full volumes of internal and external storage. Macs with a secure enclave (T2 and Apple Silicon) utilize the hardware security features of the architecture. FileVault is described in detail here: link:https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web[]. FileVault can be enabled in two ways within the macOS. It can be managed using the fdesetup command or by a Configuration Profile. When enabling FileVault via either of the aforementioned methods, you will be required to enter a username and password, which must be a local Open Directory account with a valid SecureToken password. - + [discrete] ==== Using the fdesetup Command When enabling FileVault via the command line in the Terminal application, you can run the following command. @@ -19,15 +19,15 @@ discussion: | ---- /usr/bin/fdesetup enable ---- - Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for `fdesetup`. - - NOTE: Apple has deprecated `fdesetup` command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. + Running this command will prompt you for a username and password and then enable FileVault and return the personal recovery key. There are a number of management features available when managing FileVault via the command line that are not available when using a configuration profile. More information on these management features is available in the man page for `fdesetup`. + + NOTE: Apple has deprecated `fdesetup` command line tool from recognizing user name and password for security reasons and may remove the ability in future versions of macOS. [discrete] ==== Using a Configuration Profile - + When managing FileVault with a configuration profile, you must deploy a profile with the payload type `com.apple.MCX.FileVault2`. When using the Enable key to enable FileVault with a configuration profile, you must include 1 of the following: - + [source,xml] ---- Enable @@ -45,21 +45,21 @@ discussion: | If using the Defer key it will prompt for the user name and password at logout. - The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately. + The `UserEntersMissingInfo` key will only work if installed through manual installation, and it will prompt for the username and password immediately. When using a configuration profile, you can escrow the Recovery key to a Mobile Device Management (MDM) server. Documentation for that can be found on Apple's Developer site: link:https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow[]. It's recommended that you use a Personal Recovery key instead of an Institutional key as it will generate a specific key for each device. You can find more guidance on choosing a recover key here: link:https://docs.jamf.com/technical-papers/jamf-pro/administering-filevault-macos/10.7.1/Choosing_a_Recovery_Key.html[]. - NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication. + NOTE: FileVault currently only uses password-based authentication and cannot be done using a smartcard or any other type of multi-factor authentication. check: | fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -70,4 +70,4 @@ macOS: tags: - supplemental mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/supplemental/supplemental_firewall_pf.yaml b/docs/rules/supplemental/supplemental_firewall_pf.yaml index 678c826..6597200 100644 --- a/docs/rules/supplemental/supplemental_firewall_pf.yaml +++ b/docs/rules/supplemental/supplemental_firewall_pf.yaml @@ -2,17 +2,17 @@ id: supplemental_firewall_pf title: "Packet Filter (pf) Supplemental" discussion: | The supplemental guidance found in this section is applicable for the following rules: - + * os_firewall_default_deny_require macOS contains an application layer firewall (ALF) and a packet filter (PF) firewall. - + * The ALF can block incoming traffic on a per-application basis and prevent applications from gaining control of network ports, but it cannot be configured to block outgoing traffic. - ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 - - * The PF firewall can manipulate virtually any packet data and is highly configurable. + ** More information on the ALF can be found here: https://support.apple.com/en-ca/HT201642 + + * The PF firewall can manipulate virtually any packet data and is highly configurable. ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html - + Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset. The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`. @@ -106,9 +106,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A diff --git a/docs/rules/supplemental/supplemental_password_policy.yaml b/docs/rules/supplemental/supplemental_password_policy.yaml index a648884..5eeb75c 100644 --- a/docs/rules/supplemental/supplemental_password_policy.yaml +++ b/docs/rules/supplemental/supplemental_password_policy.yaml @@ -9,21 +9,21 @@ discussion: | * pwpolicy_minimum_lifetime_enforce Password policies should be enforced as much as possible via Configuration Profiles. However, the following policies are currently not enforceable via Configuration Profiles, and must therefore be enabled using the `pwpolicy` command: - + * Enforcing at least 1 lowercase character * Enforcing at least 1 uppercase character * Disabling an account after 35 days of inactivity * Password minimum lifetime To set the local policy to meet these requirements, save the following XML password policy to a file. - + [source,xml] ---- include::../../includes/pwpolicy.xml[] ---- Run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". - + [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file @@ -38,9 +38,9 @@ fix: | references: cci: - N/A - 800-53r5: - - N/A - 800-53r4: + 800-53r5: + - N/A + 800-53r4: - N/A srg: - N/A @@ -51,4 +51,4 @@ macOS: tags: - supplemental mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/supplemental/supplemental_smartcard.yaml b/docs/rules/supplemental/supplemental_smartcard.yaml index 8f97916..f58b4f8 100644 --- a/docs/rules/supplemental/supplemental_smartcard.yaml +++ b/docs/rules/supplemental/supplemental_smartcard.yaml @@ -13,7 +13,7 @@ discussion: | * auth_pam_login_smartcard_enforce macOS supports smartcards, such as U.S. Personal Identity Verification (PIV) cards and U.S. Department of Defense Common Access Cards (CAC). Smartcards can be used on a macOS for the following: - + * Authentication (Loginwindow, Screensaver, SSH, PKINIT, Safari, Finder, and PAM Authorization (`sudo`, `login`, and `su`) ) * Digital Encryption * Digital Signing @@ -22,7 +22,7 @@ discussion: | * Keychain Unlock macOS has built-in support for USB CCID class-compliant smartcard readers. - + [discrete] ==== Smartcard Pairing The default method for using smartcards in macOS is a method called "local account pairing". Local account pairing is automatically initiated when a user inserts a smartcard into the Mac. The user is prompted to pair their smartcard with their account. If a user receives a new smartcard, the previous card must be unpaired, and the new card paired to the account. Local account pairing employs fixed key mapping with the hash of a public key on the user's smartcard with a local account. @@ -135,7 +135,7 @@ discussion: | [discrete] ==== Smartcard Enforcement Exemption - + [discrete] ===== Group Exemption @@ -182,7 +182,7 @@ discussion: | * 0 - The system default is respected. * 1 - Smartcard enforcement is enabled. - * 2 - Smartcard enforcement is disabled. + * 2 - Smartcard enforcement is disabled. NOTE: In Active Directory environments, the value of the `userAccountControl` attribute is respected. @@ -203,20 +203,20 @@ discussion: | [discrete] ===== Temporary Exemption - On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only. + On an Apple Silicon Mac, if a temporary exemption is needed, `security filevault skip-sc-enforcement` will disable smartcard enforcement on next boot only. Run the following command to set the temporary exemption when booted from Recovery: [source,bash] ---- /usr/bin/security filevault skip-sc-enforcement set ---- - + To obtain the `data volume UUID` run the following: [source,bash] ---- /usr/sbin/diskutil apfs listGroups | /usr/bin/awk -F: '/ Data/ { getline; gsub(/ /,""); print $2}' ---- - + [discrete] ==== Pluggable Authentication Module (PAM) @@ -269,9 +269,9 @@ fix: | references: cci: - N/A - 800-53r5: + 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -282,4 +282,4 @@ macOS: tags: - supplemental mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml b/docs/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml index 60a9300..154555f 100644 --- a/docs/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_airplay_receiver_disable.yaml @@ -1,8 +1,8 @@ id: sysprefs_airplay_receiver_disable title: "Disable Airplay Receiver" discussion: | - Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. - + Airplay Receiver allows you to send content from another Apple device to be displayed on the screen as it's being played from your other device. + Support for Airplay Receiver is non-essential and _MUST_ be disabled. The information system _MUST_ be configured to provide only essential capabilities. @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-91044-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - N/A srg: - N/A @@ -36,7 +36,7 @@ references: - 2.4.13 (level 1) controls v8: - 4.1 - - 4.8 + - 4.8 macOS: - "12.0" tags: @@ -45,7 +45,7 @@ tags: - 800-53r5_high - cis_lvl1 - cis_lvl2 - - cisv8 + - cisv8 mobileconfig: true mobileconfig_info: com.apple.applicationaccess: diff --git a/docs/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml b/docs/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml index f040376..7a0212c 100644 --- a/docs/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_apple_watch_unlock_disable.yaml @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91045-5 - cci: + cci: - CCI-000056 800-53r5: - AC-11 - 800-53r4: + 800-53r4: - AC-11 srg: - SRG-OS-000028-GPOS-00009 @@ -31,11 +31,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" diff --git a/docs/rules/sysprefs/sysprefs_automatic_login_disable.yaml b/docs/rules/sysprefs/sysprefs_automatic_login_disable.yaml index aa2bec7..ca3311c 100644 --- a/docs/rules/sysprefs/sysprefs_automatic_login_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_automatic_login_disable.yaml @@ -39,13 +39,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml b/docs/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml index 3b313f2..88fd20e 100644 --- a/docs/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_automatic_logout_enforce.yaml @@ -1,7 +1,7 @@ id: sysprefs_automatic_logout_enforce title: "Enforce Auto Logout After 24 Hours of Inactivity" discussion: | - Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity. + Auto logout _MUST_ be configured to automatically terminate a user session and log out the after 86400 seconds (24 hours) of inactivity. NOTE:The maximum that macOS can be configured for autologoff is 86400 seconds (24 hours). @@ -47,5 +47,4 @@ mobileconfig: true mobileconfig_info: .GlobalPreferences: com.apple.autologout.AutoLogOutDelay: 86400 - diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_disable.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_disable.yaml index d5f7c6c..c109ea9 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_disable.yaml @@ -5,7 +5,7 @@ discussion: | [IMPORTANT] ==== - Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. + Information System Security Officers (ISSOs) may make the risk-based decision not to disable Bluetooth, so as to maintain necessary functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -19,13 +19,13 @@ fix: | references: cce: - CCE-91048-9 - cci: + cci: - CCI-002418 800-53r5: - AC-18 - SC-8 - AC-18(3) - 800-53r4: + 800-53r4: - AC-18(3) - SC-8 srg: @@ -45,12 +45,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index ac7c9dd..8ca363c 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-91124-8 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -31,7 +31,7 @@ references: - 2.1.2 (level 1) controls v8: - 4.8 - - 13.9 + - 13.9 macOS: - "12.0" tags: @@ -41,4 +41,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.controlcenter: - Bluetooth: 18 \ No newline at end of file + Bluetooth: 18 diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml index d44426c..0c4046c 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_disable.yaml @@ -12,15 +12,15 @@ fix: | references: cce: - CCE-91150-3 - cci: + cci: - CCI-002418 800-53r5: - N/A - 800-53r4: + 800-53r4: - SC-8 - srg: + srg: - SRG-OS-000481-GPOS-000481 - disa_stig: + disa_stig: - APPL-12-002062 800-171r2: - N/A @@ -32,5 +32,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.Bluetooth diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml index e39d319..03c8de8 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_prefpane_hide.yaml @@ -12,15 +12,15 @@ fix: | references: cce: - CCE-91125-5 - cci: + cci: - CCI-002418 800-53r5: - N/A - 800-53r4: + 800-53r4: - SC-8 - srg: + srg: - SRG-OS-000481-GPOS-000481 - disa_stig: + disa_stig: - APPL-12-002062 800-171r2: - N/A @@ -32,5 +32,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - HiddenPreferencePanes: + HiddenPreferencePanes: - com.apple.preferences.Bluetooth diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml index 8969ca6..0877c34 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_sharing_disable.yaml @@ -1,11 +1,11 @@ id: sysprefs_bluetooth_sharing_disable title: "Disable Bluetooth Sharing" discussion: | - Bluetooth Sharing _MUST_ be disabled. + Bluetooth Sharing _MUST_ be disabled. - Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. - - [NOTE] + Bluetooth Sharing allows users to wirelessly transmit files between the macOS and Bluetooth-enabled devices, including personally owned cellphones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files via Bluetooth Sharing. When Bluetooth Sharing is disabled, this risk is mitigated. + + [NOTE] ==== The check and fix are for the currently logged in user. To get the currently logged in user, run the following. [source,bash] @@ -25,14 +25,14 @@ fix: | references: cce: - CCE-91049-7 - cci: + cci: - N/A 800-53r5: - AC-3 - AC-18(4) - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - AC-3 - AC-18(4) - CM-7 @@ -69,4 +69,3 @@ tags: - cisv8 mobileconfig: false mobileconfig_info: - diff --git a/docs/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml b/docs/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml index 506437d..96a6294 100644 --- a/docs/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_bluetooth_unpaired_disable.yaml @@ -1,10 +1,10 @@ id: sysprefs_bluetooth_unpaired_disable title: "Disable Bluetooth When No Devices are Paired" discussion: | - Bluetooth _MUST_ be disabled when no devices are paired. + Bluetooth _MUST_ be disabled when no devices are paired. check: | isPaired=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'Connected: Yes') - if [[ "$isPaired" = "0" ]]; then + if [[ "$isPaired" = "0" ]]; then powerState=$(/usr/sbin/system_profiler SPBluetoothDataType 2>/dev/null | /usr/bin/grep -c 'State: On') /bin/echo "$powerState" else @@ -21,18 +21,18 @@ fix: | references: cce: - CCE-91126-3 - cci: + cci: - N/A 800-53r5: - AC-18 - SC-8 - AC-18(3) - 800-53r4: + 800-53r4: - AC-18(3) - SC-8 srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -50,4 +50,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml b/docs/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml index e71c4a7..722b914 100644 --- a/docs/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_cd_dvd_sharing_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_cd_dvd_sharing_disable title: "Disable CD/DVD Sharing" discussion: | - CD/DVD Sharing _MUST_ be disabled. + CD/DVD Sharing _MUST_ be disabled. check: | /usr/bin/pgrep -q ODSAgent; /bin/echo $? result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-91127-1 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.4.6 (level 1) controls v8: - 4.1 @@ -49,4 +49,3 @@ tags: - cisv8 mobileconfig: false mobileconfig_info: - diff --git a/docs/rules/sysprefs/sysprefs_content_caching_disable.yaml b/docs/rules/sysprefs/sysprefs_content_caching_disable.yaml index f3913dd..5f067f7 100644 --- a/docs/rules/sysprefs/sysprefs_content_caching_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_content_caching_disable.yaml @@ -1,9 +1,9 @@ id: sysprefs_content_caching_disable title: "Disable Content Caching Service" discussion: | - Content caching _MUST_ be disabled. + Content caching _MUST_ be disabled. - Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. + Content caching is a macOS service that helps reduce Internet data usage and speed up software installation on Mac computers. It is not recommended for devices furnished to employees to act as a caching server. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-91050-5 - cci: + cci: - N/A 800-53r5: - CM-7 @@ -52,4 +52,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.applicationaccess: - allowContentCaching: false \ No newline at end of file + allowContentCaching: false diff --git a/docs/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml b/docs/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml index c9503df..5dc0953 100644 --- a/docs/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_critical_update_install_enforce.yaml @@ -1,7 +1,7 @@ id: sysprefs_critical_update_install_enforce title: "Enforce Critical Security Updates to be Installed" discussion: | - Ensure that security updates are installed as soon as they are available from Apple. + Ensure that security updates are installed as soon as they are available from Apple. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ @@ -14,11 +14,11 @@ fix: | references: cce: - CCE-91051-3 - cci: + cci: - N/A 800-53r5: - SI-2 - 800-53r4: + 800-53r4: - N/A srg: - N/A diff --git a/docs/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml b/docs/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml index 0d7df0f..903294f 100644 --- a/docs/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_diagnostics_reports_disable.yaml @@ -2,8 +2,8 @@ id: sysprefs_diagnostics_reports_disable title: "Disable Sending Diagnostic and Usage Data to Apple" discussion: | The ability to submit diagnostic data to Apple _MUST_ be disabled. - - The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. + + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of diagnostic and usage information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS function run() { @@ -25,13 +25,13 @@ fix: | references: cce: - CCE-91052-1 - cci: + cci: - CCI-000382 800-53r5: - SI-11 - AC-20 - SC-7(10) - 800-53r4: + 800-53r4: - AC-20 - SI-11 srg: @@ -41,21 +41,21 @@ references: 800-171r2: - 3.1.20 cis: - benchmark: + benchmark: - 2.5.5 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cis_lvl2 - cisv8 diff --git a/docs/rules/sysprefs/sysprefs_filevault_enforce.yaml b/docs/rules/sysprefs/sysprefs_filevault_enforce.yaml index cb55a38..a29a656 100644 --- a/docs/rules/sysprefs/sysprefs_filevault_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_filevault_enforce.yaml @@ -13,14 +13,14 @@ fix: | references: cce: - CCE-91053-9 - cci: + cci: - CCI-001199 - CCI-002475 - CCI-002476 800-53r5: - SC-28 - SC-28(1) - 800-53r4: + 800-53r4: - SC-28 - SC-28(1) srg: @@ -32,19 +32,19 @@ references: 800-171r2: - 3.13.16 cis: - benchmark: + benchmark: - 2.5.5.1 (level 1) - controls v8: + controls v8: - 3.6 - 3.11 macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -52,4 +52,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_find_my_disable.yaml b/docs/rules/sysprefs/sysprefs_find_my_disable.yaml index bdce3e9..ed96508 100644 --- a/docs/rules/sysprefs/sysprefs_find_my_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_find_my_disable.yaml @@ -4,7 +4,7 @@ discussion: | The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. - + Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe. check: | /usr/bin/osascript -l JavaScript << EOS @@ -29,13 +29,13 @@ fix: | references: cce: - CCE-91054-7 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -72,4 +72,4 @@ mobileconfig_info: allowFindMyFriends: false com.apple.icloud.managed: DisableFMMiCloudSetting: true - + diff --git a/docs/rules/sysprefs/sysprefs_firewall_enable.yaml b/docs/rules/sysprefs/sysprefs_firewall_enable.yaml index ebc10a9..20f261d 100644 --- a/docs/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -1,7 +1,7 @@ id: sysprefs_firewall_enable title: "Enable macOS Application Firewall" discussion: | - The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. + The macOS Application Firewall is the built-in firewall that comes with macOS, and it _MUST_ be enabled. When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | @@ -16,7 +16,7 @@ fix: | references: cce: - CCE-91055-4 - cci: + cci: - CCI-000366 800-53r5: - AC-4 @@ -24,7 +24,7 @@ references: - CM-7 - CM-7(1) - SC-7 - 800-53r4: + 800-53r4: - AC-4 - AC-6(1) - AC-19 @@ -45,22 +45,22 @@ references: - 3.13.2 - 3.13.5 cis: - benchmark: + benchmark: - 2.5.2.2 (level 1) - controls v8: + controls v8: - 4.1 - 4.5 - 13.1 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -70,4 +70,4 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.security.firewall: - EnableFirewall: true \ No newline at end of file + EnableFirewall: true diff --git a/docs/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/docs/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index f737d74..854e292 100644 --- a/docs/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -1,10 +1,10 @@ id: sysprefs_firewall_stealth_mode_enable title: "Enable Firewall Stealth Mode" discussion: | - Firewall Stealth Mode _MUST_ be enabled. + Firewall Stealth Mode _MUST_ be enabled. When stealth mode is enabled, the Mac will not respond to any probing requests, and only requests from authorized applications will still be authorized. - + [IMPORTANT] ==== Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. @@ -41,22 +41,22 @@ references: - 3.13.2 - 3.13.5 cis: - benchmark: + benchmark: - 2.5.2.3 (level 1) - controls v8: + controls v8: - 4.1 - 4.5 - 4.8 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml b/docs/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml index 1a82d75..5dd3145 100644 --- a/docs/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml +++ b/docs/rules/sysprefs/sysprefs_gatekeeper_identified_developers_allowed.yaml @@ -2,11 +2,11 @@ id: sysprefs_gatekeeper_identified_developers_allowed title: "Apply Gatekeeper Settings to Block Applications from Unidentified Developers" discussion: | The information system implements cryptographic mechanisms to authenticate software prior to installation. - + Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS to verify that the application has not been modified by a malicious third party. check: | /usr/sbin/spctl --status --verbose | /usr/bin/grep -c "developer id enabled" -result: +result: integer: 1 fix: | [source,bash] @@ -23,7 +23,7 @@ references: - CM-5 - SI-7(15) - SI-7(1) - 800-53r4: + 800-53r4: - CM-5(3) - CM-5 - SI-7(15) @@ -36,12 +36,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" @@ -49,4 +49,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempolicy.control: AllowIdentifiedDevelopers: true - EnableAssessment: true \ No newline at end of file + EnableAssessment: true diff --git a/docs/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml b/docs/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml index df59b86..276613c 100644 --- a/docs/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml +++ b/docs/rules/sysprefs/sysprefs_gatekeeper_override_disallow.yaml @@ -1,9 +1,9 @@ id: sysprefs_gatekeeper_override_disallow title: "Configure Gatekeeper to Disallow End User Override" discussion: | - Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. + Gatekeeper _MUST_ be configured with a configuration profile to prevent normal users from overriding its settings. - If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. + If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.systempolicy.managed')\ @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-91058-8 - cci: + cci: - CCI-000366 800-53r5: - CM-5 - SI-7(15) - 800-53r4: + 800-53r4: - CM-5 - SI-7(15) srg: @@ -33,16 +33,16 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempolicy.managed: DisableOverride: true - + diff --git a/docs/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml b/docs/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml index 59dcf61..0231b05 100644 --- a/docs/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_guest_access_smb_disable.yaml @@ -1,8 +1,8 @@ id: sysprefs_guest_access_smb_disable title: "Disable Guest Access to Shared SMB Folders" discussion: | - Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. - + Guest access to shared Server Message Block (SMB) folders _MUST_ be disabled. + Turning off guest access prevents anonymous users from accessing files shared via SMB. check: | /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess @@ -26,15 +26,15 @@ references: - N/A srg: - N/A - cci: - - N/A + cci: + - N/A 800-171r2: - 3.5.1 - 3.5.2 cis: - benchmark: + benchmark: - 6.1.4 (level 1) - controls v8: + controls v8: - 5.2 - 6.2 - 6.8 @@ -53,4 +53,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_guest_account_disable.yaml b/docs/rules/sysprefs/sysprefs_guest_account_disable.yaml index f5a93b6..d187db0 100644 --- a/docs/rules/sysprefs/sysprefs_guest_account_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_guest_account_disable.yaml @@ -1,8 +1,8 @@ id: sysprefs_guest_account_disable title: "Disable the Guest Account" discussion: | - Guest access _MUST_ be disabled. - + Guest access _MUST_ be disabled. + Turning off guest access prevents anonymous users from accessing files. check: | /usr/bin/osascript -l JavaScript << EOS @@ -32,22 +32,22 @@ references: - 3.5.1 - 3.5.2 cis: - benchmark: + benchmark: - 6.1.3 (level 1) - controls v8: + controls v8: - 5.2 - 5.3 - 6.8 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -57,4 +57,4 @@ severity: "high" mobileconfig: true mobileconfig_info: com.apple.MCX: - DisableGuestAccount: true \ No newline at end of file + DisableGuestAccount: true diff --git a/docs/rules/sysprefs/sysprefs_hot_corners_disable.yaml b/docs/rules/sysprefs/sysprefs_hot_corners_disable.yaml index 7eb56e4..e90b64f 100644 --- a/docs/rules/sysprefs/sysprefs_hot_corners_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_hot_corners_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_hot_corners_disable title: "Disable Hot Corners" discussion: | - Hot corners _MUST_ be disabled. + Hot corners _MUST_ be disabled. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | @@ -13,11 +13,11 @@ fix: | references: cce: - CCE-91061-2 - cci: + cci: - CCI-000060 800-53r5: - AC-11(1) - 800-53r4: + 800-53r4: - AC-11(1) srg: - SRG-OS-000031-GPOS-00012 @@ -28,11 +28,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" diff --git a/docs/rules/sysprefs/sysprefs_hot_corners_secure.yaml b/docs/rules/sysprefs/sysprefs_hot_corners_secure.yaml index 9b59533..16ab999 100644 --- a/docs/rules/sysprefs/sysprefs_hot_corners_secure.yaml +++ b/docs/rules/sysprefs/sysprefs_hot_corners_secure.yaml @@ -1,7 +1,7 @@ id: sysprefs_hot_corners_secure title: "Secure Hot Corners" discussion: | - Hot corners _MUST_ be secured. + Hot corners _MUST_ be secured. The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot comers can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer. check: | @@ -26,15 +26,15 @@ fix: | references: cce: - CCE-91128-9 - cci: + cci: - N/A 800-53r5: - AC-11(1) - 800-53r4: + 800-53r4: - AC-11(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -49,4 +49,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml b/docs/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml index 286e095..f779104 100644 --- a/docs/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_improve_siri_dictation_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Sending Siri and Dictation Information to Apple" discussion: | The ability for Apple to store and review audio of your Siri and Dictation interactions _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. + The information system _MUST_ be configured to provide only essential capabilities. Disabling the submission of Siri and Dictation information will mitigate the risk of unwanted data being sent to Apple. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.assistant.support')\ @@ -23,7 +23,7 @@ references: - CM-7 - CM-7(1) - SC-7(10) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -52,4 +52,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.assistant.support: - "Siri Data Sharing Opt-In Status": 2 \ No newline at end of file + "Siri Data Sharing Opt-In Status": 2 diff --git a/docs/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/docs/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index a5bf902..5241b00 100644 --- a/docs/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91129-7 - cci: + cci: - N/A 800-53r5: - N/A @@ -27,9 +27,9 @@ references: 800-171r2: - N/A cis: - benchmark: + benchmark: - 1.6 (level 1) - controls v8: + controls v8: - 7.3 - 7.4 macOS: diff --git a/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml b/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml index a71efe3..d1d07a1 100644 --- a/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_disable.yaml @@ -8,7 +8,7 @@ discussion: | Some organizations may allow the use and configuration of the built-in Mail.app, Calendar.app, and Contacts.app for organizational communication. Information System Security Officers (ISSOs) may make the risk-based decision not to disable the Internet Accounts System Preference pane to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.internetaccounts' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-90938-2 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7(5) - AC-20 - 800-53r4: + 800-53r4: - AC-20 - CM-7(5) srg: @@ -41,13 +41,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cisv8 - stig @@ -55,5 +55,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.internetaccounts diff --git a/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml b/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml index 0086cb5..1030c6a 100644 --- a/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml +++ b/docs/rules/sysprefs/sysprefs_internet_accounts_prefpane_hide.yaml @@ -16,19 +16,19 @@ fix: | references: cce: - CCE-91130-5 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7(5) - AC-20 - 800-53r4: + 800-53r4: - AC-20 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - SRG-OS-000370-GPOS-00155 - disa_stig: + disa_stig: - APPL-12-002032 800-171r2: - 3.1.20 @@ -40,5 +40,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - HiddenPreferencePanes: + HiddenPreferencePanes: - com.apple.preferences.internetaccounts diff --git a/docs/rules/sysprefs/sysprefs_internet_sharing_disable.yaml b/docs/rules/sysprefs/sysprefs_internet_sharing_disable.yaml index d45097d..d9ba7fa 100644 --- a/docs/rules/sysprefs/sysprefs_internet_sharing_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_internet_sharing_disable.yaml @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-91063-8 - cci: + cci: - CCI-000381 800-53r5: - AC-4 - AC-20 - 800-53r4: + 800-53r4: - AC-4 - AC-20 srg: @@ -32,21 +32,21 @@ references: - 3.1.3 - 3.1.20 cis: - benchmark: + benchmark: - 2.4.2 (level 1) - controls v8: + controls v8: - 4.1 - 4.8 macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_moderate - - 800-53r5_high - - 800-171 + - 800-53r5_low + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_moderate + - 800-53r5_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/sysprefs/sysprefs_location_services_audit.yaml b/docs/rules/sysprefs/sysprefs_location_services_audit.yaml index 603a6b3..0849f58 100644 --- a/docs/rules/sysprefs/sysprefs_location_services_audit.yaml +++ b/docs/rules/sysprefs/sysprefs_location_services_audit.yaml @@ -3,28 +3,28 @@ title: "Audit Location Services" discussion: | The organization _MUST_ audit which applications have access to location services. check: | - sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }' -result: + sudo /usr/libexec/PlistBuddy -c print /var/db/locationd/clients.plist | grep Dict | awk '(NR>1) { print $1 }' +result: string: "a list containing approved applications." fix: | Review the list of applications and remove any unauthorized applications from System Prefrences->Security & Privacy->Privacy->Location Services. references: cce: - CCE-91131-3 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A - disa_stig: + disa_stig: - N/A srg: - N/A cis: benchmark: - 2.5.4 (level 2) - controls v8: + controls v8: - 2.3 - 4.1 macOS: @@ -35,4 +35,4 @@ tags: - cis_manual - manual mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_location_services_disable.yaml b/docs/rules/sysprefs/sysprefs_location_services_disable.yaml index 8a274ae..73c9080 100644 --- a/docs/rules/sysprefs/sysprefs_location_services_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_location_services_disable.yaml @@ -1,8 +1,8 @@ id: sysprefs_location_services_disable title: "Disable Location Services" discussion: | - Location Services _MUST_ be disabled. - + Location Services _MUST_ be disabled. + The information system _MUST_ be configured to provide only essential capabilities. Disabling Location Services helps prevent the unauthorized connection of devices, unauthorized transfer of information, and unauthorized tunneling. check: | /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-91064-6 - cci: + cci: - CCI-000381 800-53r5: - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - CM-7 - CM-7(1) srg: @@ -34,13 +34,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" diff --git a/docs/rules/sysprefs/sysprefs_location_services_enable.yaml b/docs/rules/sysprefs/sysprefs_location_services_enable.yaml index f99d893..c58c1c6 100644 --- a/docs/rules/sysprefs/sysprefs_location_services_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_location_services_enable.yaml @@ -1,7 +1,7 @@ id: sysprefs_location_services_enable title: "Enable Location Services" discussion: | - Location Services _MUST_ be enabled. + Location Services _MUST_ be enabled. check: | /usr/bin/defaults read /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.plist LocationServicesEnabled result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-91132-1 - cci: + cci: - N/A 800-53r5: - - N/A - 800-53r4: + - N/A + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.5.3 (level 2) - controls v8: + controls v8: - 4.1 - 4.8 macOS: diff --git a/docs/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/docs/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml index 338d038..470e4a6 100644 --- a/docs/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -1,7 +1,7 @@ id: sysprefs_loginwindow_loginwindowtext_enable title: "Configure Login Window to Show A Custom Message" discussion: | - The login window _MUST_ be configured to show a custom access warning message. + The login window _MUST_ be configured to show a custom access warning message. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ @@ -14,20 +14,20 @@ fix: | references: cce: - CCE-91133-9 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 6.1.1 (level 1) macOS: - "12.0" diff --git a/docs/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml b/docs/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml index a71e9cd..a953045 100644 --- a/docs/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_loginwindow_prompt_username_password_enforce.yaml @@ -1,26 +1,26 @@ id: sysprefs_loginwindow_prompt_username_password_enforce title: "Configure Login Window to Prompt for Username and Password" discussion: | - The login window _MUST_ be configured to prompt all users for both a username and a password. + The login window _MUST_ be configured to prompt all users for both a username and a password. - By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. + By default, the system displays a list of known users on the login window, which can make it easier for a malicious user to gain access to someone else's account. Requiring users to type in both their username and password mitigates the risk of unauthorized users gaining access to the information system. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('SHOWFULLNAME').js EOS -result: +result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - CCE-91065-3 - cci: + cci: - CCI-000366 800-53r5: - IA-2 - 800-53r4: + 800-53r4: - IA-2 srg: - SRG-OS-000480-GPOS-00229 @@ -30,9 +30,9 @@ references: - 3.5.1 - 3.5.2 cis: - benchmark: + benchmark: - 6.1.1 (level 1) - controls v8: + controls v8: - 4.1 macOS: - "12.0" @@ -49,7 +49,7 @@ tags: - cis_lvl2 - cisv8 - stig -severity: "low" +severity: "low" mobileconfig: true mobileconfig_info: com.apple.loginwindow: diff --git a/docs/rules/sysprefs/sysprefs_media_sharing_disabled.yaml b/docs/rules/sysprefs/sysprefs_media_sharing_disabled.yaml index d5b9d2b..0548d05 100644 --- a/docs/rules/sysprefs/sysprefs_media_sharing_disabled.yaml +++ b/docs/rules/sysprefs/sysprefs_media_sharing_disabled.yaml @@ -3,7 +3,7 @@ title: "Disable Media Sharing" discussion: | Media sharing _MUST_ be disabled. - When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. + When Media Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. The information system _MUST_ be configured to provide only essential capabilities. Disabling Media Sharing helps prevent the unauthorized connection of devices and the unauthorized transfer of information. Disabling Media Sharing mitigates this risk. diff --git a/docs/rules/sysprefs/sysprefs_password_hints_disable.yaml b/docs/rules/sysprefs/sysprefs_password_hints_disable.yaml index e4aa092..ca3590a 100644 --- a/docs/rules/sysprefs/sysprefs_password_hints_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_password_hints_disable.yaml @@ -2,8 +2,8 @@ id: sysprefs_password_hints_disable title: "Disable Password Hints" discussion: | Password hints _MUST_ be disabled. - - Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. + + Password hints leak information about passwords that are currently in use and can lead to loss of confidentiality. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ @@ -36,13 +36,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml b/docs/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml index 84d7f1d..e5f9076 100644 --- a/docs/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_personalized_advertising_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Personalized Advertising" discussion: | Ad tracking and targeted ads _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. + The information system _MUST_ be configured to provide only essential capabilities. Disabling ad tracking ensures that applications and advertisers are unable to track users' interests and deliver targeted advertisements. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.AdLib')\ @@ -16,14 +16,14 @@ fix: | references: cce: - CCE-91068-7 - cci: + cci: - N/A 800-53r5: - AC-20 - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - AC-20 - CM-7 - CM-7(1) diff --git a/docs/rules/sysprefs/sysprefs_power_nap_disable.yaml b/docs/rules/sysprefs/sysprefs_power_nap_disable.yaml index 6018ed0..13f3343 100644 --- a/docs/rules/sysprefs/sysprefs_power_nap_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_power_nap_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Power Nap" discussion: | Power Nap _MUST_ be disabled. - Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices to stop functioning until a reboot and must therefore be disabled on all applicable systems. + Power Nap allows your Mac to perform actions while a Mac is asleep. This can interfere with USB power and may cause devices to stop functioning until a reboot and must therefore be disabled on all applicable systems. The following Macs support Power Nap: @@ -36,7 +36,7 @@ references: srg: - N/A cci: - - N/A + - N/A 800-171r2: - 3.4.6 cis: @@ -60,4 +60,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_printer_sharing_disable.yaml b/docs/rules/sysprefs/sysprefs_printer_sharing_disable.yaml index 9e10c09..291180f 100644 --- a/docs/rules/sysprefs/sysprefs_printer_sharing_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_printer_sharing_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_printer_sharing_disable title: "Disable Printer Sharing" discussion: | - Printer Sharing _MUST_ be disabled. + Printer Sharing _MUST_ be disabled. check: | /usr/sbin/cupsctl | /usr/bin/grep -c "_share_printers=0" result: @@ -15,22 +15,22 @@ fix: | references: cce: - CCE-91134-7 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.4.4 (level 1) controls v8: - 4.1 @@ -49,4 +49,3 @@ tags: - cisv8 mobileconfig: false mobileconfig_info: - diff --git a/docs/rules/sysprefs/sysprefs_rae_disable.yaml b/docs/rules/sysprefs/sysprefs_rae_disable.yaml index 0387805..1cea90e 100644 --- a/docs/rules/sysprefs/sysprefs_rae_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_rae_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Remote Apple Events" discussion: | If the system does not require Remote Apple Events, support for Apple Remote Events is non-essential and _MUST_ be disabled. - The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. + The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => true' result: @@ -18,12 +18,12 @@ fix: | references: cce: - CCE-91070-3 - cci: + cci: - CCI-000382 800-53r5: - AC-3 - AC-17 - 800-53r4: + 800-53r4: - AC-3 srg: - SRG-OS-000096-GPOS-00050 @@ -41,13 +41,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -55,4 +55,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_remote_management_disable.yaml b/docs/rules/sysprefs/sysprefs_remote_management_disable.yaml index c99c944..9e17650 100644 --- a/docs/rules/sysprefs/sysprefs_remote_management_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_remote_management_disable.yaml @@ -1,7 +1,7 @@ id: sysprefs_remote_management_disable title: "Disable Remote Management" discussion: | - Remote Management _MUST_ be disabled. + Remote Management _MUST_ be disabled. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "RemoteDesktopEnabled = 0" result: @@ -14,22 +14,22 @@ fix: | references: cce: - CCE-91135-4 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - 800-53r4: + 800-53r4: - CM-7 - CM-7(1) srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.4.3 (level 1) controls v8: - 4.1 @@ -48,4 +48,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_screen_sharing_disable.yaml b/docs/rules/sysprefs/sysprefs_screen_sharing_disable.yaml index 5fbe077..8b2bb29 100644 --- a/docs/rules/sysprefs/sysprefs_screen_sharing_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_screen_sharing_disable.yaml @@ -2,7 +2,7 @@ id: sysprefs_screen_sharing_disable title: "Disable Screen Sharing and Apple Remote Desktop" discussion: | Support for both Screen Sharing and Apple Remote Desktop (ARD) is non-essential and _MUST_ be disabled. - + The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => true' @@ -17,7 +17,7 @@ fix: | references: cce: - CCE-91071-1 - cci: + cci: - CCI-000366 800-53r5: - AC-3 @@ -41,13 +41,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -55,4 +55,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/docs/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 45a83fe..68f4154 100644 --- a/docs/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -1,9 +1,9 @@ id: sysprefs_screensaver_ask_for_password_delay_enforce title: "Enforce Session Lock After Screen Saver is Started" discussion: | - A screen saver _MUST_ be enabled and the system _MUST_ be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds. - - An unattended system with an excessive grace period is vulnerable to a malicious user. + A screen saver _MUST_ be enabled and the system _MUST_ be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds. + + An unattended system with an excessive grace period is vulnerable to a malicious user. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91072-9 - cci: + cci: - CCI-000056 800-53r5: - AC-11 - 800-53r4: + 800-53r4: - AC-11 srg: - SRG-OS-000028-GPOS-00009 @@ -36,11 +36,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -50,4 +50,4 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.screensaver: - askForPasswordDelay: 5 \ No newline at end of file + askForPasswordDelay: 5 diff --git a/docs/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml b/docs/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml index 5188d2e..d517e01 100644 --- a/docs/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_screensaver_password_enforce.yaml @@ -1,8 +1,8 @@ id: sysprefs_screensaver_password_enforce title: "Enforce Screen Saver Password" discussion: | - Users _MUST_ authenticate when unlocking the screen saver. - + Users _MUST_ authenticate when unlocking the screen saver. + The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. check: | /usr/bin/osascript -l JavaScript << EOS @@ -16,11 +16,11 @@ fix: | references: cce: - CCE-91073-7 - cci: + cci: - CCI-000056 800-53r5: - AC-11 - 800-53r4: + 800-53r4: - AC-11 srg: - SRG-OS-000028-GPOS-00009 @@ -31,15 +31,15 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" mobileconfig: true mobileconfig_info: com.apple.screensaver: - askForPassword: true \ No newline at end of file + askForPassword: true diff --git a/docs/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/docs/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index a7186c0..9d451e8 100644 --- a/docs/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -1,8 +1,8 @@ id: sysprefs_screensaver_timeout_enforce title: "Enforce Screen Saver Timeout" discussion: | - The screen saver timeout _MUST_ be set to 20 minutes or a shorter length of time. - + The screen saver timeout _MUST_ be set to 20 minutes or a shorter length of time. + This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity. check: | /usr/bin/osascript -l JavaScript << EOS @@ -16,12 +16,12 @@ fix: | references: cce: - CCE-91074-5 - cci: + cci: - CCI-000057 800-53r5: - AC-11 - IA-11 - 800-53r4: + 800-53r4: - AC-11 srg: - SRG-OS-000029-GPOS-00010 @@ -37,12 +37,12 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r5_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r5_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 diff --git a/docs/rules/sysprefs/sysprefs_siri_disable.yaml b/docs/rules/sysprefs/sysprefs_siri_disable.yaml index c94dd98..125aafd 100644 --- a/docs/rules/sysprefs/sysprefs_siri_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_siri_disable.yaml @@ -16,15 +16,15 @@ fix: | references: cce: - CCE-91075-2 - cci: + cci: - CCI-000381 - CCI-001774 800-53r5: - AC-20 - CM-7 - CM-7(1) - - SC-7(10) - 800-53r4: + - SC-7(10) + 800-53r4: - CM-7 - CM-7(1) - AC-20 @@ -45,13 +45,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cisv8 - stig diff --git a/docs/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/docs/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 8a53aac..c632d92 100644 --- a/docs/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -3,9 +3,9 @@ title: "Disable the System Preference Pane for Siri" discussion: | The system preference pane for Siri _MUST_ be disabled. - Disabling the system preference pane prevents the users from configuring Siri. + Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91136-2 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002053 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.speech diff --git a/docs/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/docs/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 791929f..35703dc 100644 --- a/docs/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/docs/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -3,9 +3,9 @@ title: "Hide the System Preference Pane for Siri" discussion: | The system preference pane for Siri _MUST_ be hidden. - HIding the system preference pane prevents the users from configuring Siri. + HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91137-0 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002053 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - HiddenPreferencePanes: + HiddenPreferencePanes: - com.apple.preferences.speech diff --git a/docs/rules/sysprefs/sysprefs_smbd_disable.yaml b/docs/rules/sysprefs/sysprefs_smbd_disable.yaml index acc271b..930e293 100644 --- a/docs/rules/sysprefs/sysprefs_smbd_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_smbd_disable.yaml @@ -17,7 +17,7 @@ fix: | references: cce: - CCE-91076-0 - cci: + cci: - CCI-000381 800-53r5: - AC-3 @@ -40,13 +40,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -54,4 +54,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/docs/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index 88c4b3d..daf1b16 100644 --- a/docs/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91138-8 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/docs/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/docs/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index a550000..e023de5 100644 --- a/docs/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91139-6 - cci: + cci: - N/A 800-53r5: - N/A diff --git a/docs/rules/sysprefs/sysprefs_software_update_enforce.yaml b/docs/rules/sysprefs/sysprefs_software_update_enforce.yaml index 21544a9..d1399fa 100644 --- a/docs/rules/sysprefs/sysprefs_software_update_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_software_update_enforce.yaml @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91140-4 - cci: + cci: - N/A 800-53r5: - SI-2(5) diff --git a/docs/rules/sysprefs/sysprefs_softwareupdate_current.yaml b/docs/rules/sysprefs/sysprefs_softwareupdate_current.yaml index 26803e5..5656690 100644 --- a/docs/rules/sysprefs/sysprefs_softwareupdate_current.yaml +++ b/docs/rules/sysprefs/sysprefs_softwareupdate_current.yaml @@ -23,7 +23,7 @@ fix: | references: cce: - CCE-91141-2 - cci: + cci: - N/A 800-53r5: - N/A @@ -31,7 +31,7 @@ references: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -49,4 +49,4 @@ tags: - cisv8 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_ssh_disable.yaml b/docs/rules/sysprefs/sysprefs_ssh_disable.yaml index 6fd2916..06fde9a 100644 --- a/docs/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -2,8 +2,8 @@ id: sysprefs_ssh_disable title: "Disable SSH Server for Remote Access Sessions" discussion: | SSH service _MUST_ be disabled for remote access. - - Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. + + Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' result: @@ -16,14 +16,14 @@ fix: | references: cce: - CCE-91077-8 - cci: + cci: - N/A 800-53r5: - CM-7 - CM-7(1) - AC-17 800-53r4: - - AC-3 + - AC-3 - CM-7 - CM-7(1) srg: @@ -59,4 +59,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_ssh_enable.yaml b/docs/rules/sysprefs/sysprefs_ssh_enable.yaml index d3eeaf2..1dce69a 100644 --- a/docs/rules/sysprefs/sysprefs_ssh_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -1,7 +1,7 @@ id: sysprefs_ssh_enable title: "Enable SSH Server for Remote Access Sessions" discussion: | - Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. + Remote access sessions _MUST_ use encrypted methods to protect unauthorized individuals from gaining access. check: | /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => false' result: @@ -14,7 +14,7 @@ fix: | references: cce: - CCE-91078-6 - cci: + cci: - N/A 800-53r5: - IA-2(8) @@ -23,7 +23,7 @@ references: - CM-7(1) - AC-17 800-53r4: - - AC-3 + - AC-3 - CM-7 - CM-7(1) - IA-2(8) @@ -40,13 +40,13 @@ references: macOS: - "12.0" tags: - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml b/docs/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml index e1139b8..e18ec5e 100644 --- a/docs/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml +++ b/docs/rules/sysprefs/sysprefs_system_wide_preferences_configure.yaml @@ -1,7 +1,7 @@ id: sysprefs_system_wide_preferences_configure title: "Require Administrator Password to Modify System-Wide Preferences" discussion: | - The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. + The system _MUST_ be configured to require an administrator password in order to modify the system-wide preferences in System Preferences. Some Preference Panes in System Preferences contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. check: | @@ -39,11 +39,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - cis_lvl1 - cis_lvl2 @@ -51,4 +51,4 @@ tags: - stig severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml b/docs/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml index 9801796..fa9b659 100644 --- a/docs/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_time_machine_auto_backup_enable.yaml @@ -1,33 +1,33 @@ id: sysprefs_time_machine_auto_backup_enable title: "Configure Time Machine for Automatic Backups" discussion: | - Automatic backups _MUST_ be enabled when using Time Machine. + Automatic backups _MUST_ be enabled when using Time Machine. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.TimeMachine')\ .objectForKey('AutoBackup').js EOS -result: +result: string: "true" fix: | This is implemented by a Configuration Profile. references: cce: - CCE-91142-0 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.7.1 (level 2) controls v8: - 11.2 @@ -39,4 +39,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.TimeMachine: - AutoBackup: true \ No newline at end of file + AutoBackup: true diff --git a/docs/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml b/docs/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml index f0029d8..01df7d7 100644 --- a/docs/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml +++ b/docs/rules/sysprefs/sysprefs_time_machine_encrypted_configure.yaml @@ -1,7 +1,7 @@ id: sysprefs_time_machine_encrypted_configure title: "Ensure Time Machine Volumes are Encrypted" discussion: | - Time Machine volumes _MUST_ be encrypted. + Time Machine volumes _MUST_ be encrypted. check: | error_count=0 for tm in $(/usr/bin/tmutil destinationinfo 2>/dev/null| /usr/bin/awk -F': ' '/Name/{print $2}'); do @@ -12,7 +12,7 @@ check: | fi done echo "$error_count" -result: +result: integer: 0 fix: | . Go to System Preferences -> Time Machine @@ -23,20 +23,20 @@ fix: | references: cce: - CCE-91143-8 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A cis: - benchmark: + benchmark: - 2.7.2 (level 2) controls v8: - 3.6 @@ -48,4 +48,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_time_server_configure.yaml b/docs/rules/sysprefs/sysprefs_time_server_configure.yaml index 2eda909..ea88580 100644 --- a/docs/rules/sysprefs/sysprefs_time_server_configure.yaml +++ b/docs/rules/sysprefs/sysprefs_time_server_configure.yaml @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-91080-2 - cci: + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 @@ -39,12 +39,12 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate + - 800-171 + - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate - 800-53r4_high - cis_lvl1 - cis_lvl2 @@ -54,4 +54,4 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.MCX: - timeServer: "time-a.nist.gov,time-b.nist.gov" \ No newline at end of file + timeServer: "time-a.nist.gov,time-b.nist.gov" diff --git a/docs/rules/sysprefs/sysprefs_time_server_enforce.yaml b/docs/rules/sysprefs/sysprefs_time_server_enforce.yaml index bcf33c4..8367e69 100644 --- a/docs/rules/sysprefs/sysprefs_time_server_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_time_server_enforce.yaml @@ -16,13 +16,13 @@ fix: | references: cce: - CCE-91081-0 - cci: + cci: - CCI-001891 - CCI-002046 800-53r5: - AU-12(1) - SC-45(1) - 800-53r4: + 800-53r4: - AU-8(1) srg: - SRG-OS-000355-GPOS-00143 @@ -39,12 +39,12 @@ references: macOS: - "12.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r5_low - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate + - 800-171 + - cnssi-1253 + - 800-53r5_low + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate - 800-53r4_high - cis_lvl1 - cis_lvl2 @@ -56,4 +56,3 @@ mobileconfig_info: com.apple.ManagedClient.preferences: com.apple.timed: TMAutomaticTimeOnlyEnabled: true - diff --git a/docs/rules/sysprefs/sysprefs_token_removal_enforce.yaml b/docs/rules/sysprefs/sysprefs_token_removal_enforce.yaml index 8691dcd..8620a11 100644 --- a/docs/rules/sysprefs/sysprefs_token_removal_enforce.yaml +++ b/docs/rules/sysprefs/sysprefs_token_removal_enforce.yaml @@ -3,11 +3,11 @@ title: "Configure User Session Lock When a Smart Token is Removed" discussion: | The screen lock _MUST_ be configured to initiate automatically when the smart token is removed from the system. - Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token. + Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token. [IMPORTANT] ==== - Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. + Information System Security Officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed, so as to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | /usr/bin/osascript -l JavaScript << EOS @@ -25,7 +25,7 @@ references: - CCI-000058 800-53r5: - AC-11 - 800-53r4: + 800-53r4: - AC-11 srg: - SRG-OS-000030-GPOS-00011 @@ -36,11 +36,11 @@ references: macOS: - "12.0" tags: - - 800-53r5_moderate - - 800-53r5_high - - 800-53r4_moderate - - 800-53r4_high - - 800-171 + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 - cnssi-1253 - stig severity: "medium" diff --git a/docs/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml b/docs/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml index f3e002c..2ec05e7 100644 --- a/docs/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_touchid_prefpane_disable.yaml @@ -3,7 +3,7 @@ title: "Disable the System Preference Pane for Touch ID" discussion: | The system preference pane for Touch ID _MUST_ be disabled. - Disabling the system preference pane prevents the users from configuring Touch ID. + Disabling the system preference pane prevents the users from configuring Touch ID. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91144-6 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002051 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.password diff --git a/docs/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml b/docs/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml index 88d574c..b5bac46 100644 --- a/docs/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml +++ b/docs/rules/sysprefs/sysprefs_touchid_prefpane_hide.yaml @@ -3,7 +3,7 @@ title: "Hide the System Preference Pane for Touch ID" discussion: | The system preference pane for Touch ID _MUST_ be hidden. - Hiding the system preference pane prevents the users from configuring Touch ID. + Hiding the system preference pane prevents the users from configuring Touch ID. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.password' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91145-3 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002051 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - HiddenPreferencePanes: + HiddenPreferencePanes: - com.apple.preferences.password diff --git a/docs/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml b/docs/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml index adffe7d..b2776cc 100644 --- a/docs/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_touchid_unlock_disable.yaml @@ -1,11 +1,11 @@ id: sysprefs_touchid_unlock_disable title: "Disable TouchID for Unlocking the Device" discussion: | - TouchID enables the ability to unlock a Mac system with a user's fingerprint. - - TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID. - - The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. + TouchID enables the ability to unlock a Mac system with a user's fingerprint. + + TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID. + + The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method. check: | /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ @@ -18,11 +18,11 @@ fix: | references: cce: - CCE-91083-6 - cci: + cci: - CCI-000056 800-53r5: - AC-11 - 800-53r4: + 800-53r4: - AC-11 srg: - N/A diff --git a/docs/rules/sysprefs/sysprefs_wake_network_access_disable.yaml b/docs/rules/sysprefs/sysprefs_wake_network_access_disable.yaml index 9155cce..0cc53b3 100644 --- a/docs/rules/sysprefs/sysprefs_wake_network_access_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_wake_network_access_disable.yaml @@ -23,7 +23,7 @@ references: srg: - N/A cci: - - N/A + - N/A 800-171r2: - N/A cis: @@ -38,4 +38,4 @@ tags: - cis_lvl2 - cisv8 mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml b/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml index eea464b..dfca445 100644 --- a/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_disable.yaml @@ -3,9 +3,9 @@ title: "Disable the System Preference Pane for Wallet and Apple Pay" discussion: | The system preference pane for Wallet and Apple Pay _MUST_ be disabled. - Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. + Disabling the system preference pane prevents the users from configuring Wallet and Apple Pay. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91147-9 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002052 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - DisabledPreferencePanes: + DisabledPreferencePanes: - com.apple.preferences.wallet diff --git a/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml b/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml index bf5872a..c33c454 100644 --- a/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml +++ b/docs/rules/sysprefs/sysprefs_wallet_applepay_prefpane_hide.yaml @@ -3,7 +3,7 @@ title: "Hide the System Preference Pane for Wallet and Apple Pay" discussion: | The system preference pane for Wallet and Apple Pay _MUST_ be hidden. - Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay. + Hiding the system preference pane prevents the users from configuring Wallet and Apple Pay. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.wallet' | /usr/bin/awk '{ if ($1 >= 1) {print "1"} else {print "0"}}' result: @@ -13,18 +13,18 @@ fix: | references: cce: - CCE-91148-7 - cci: + cci: - CCI-001774 - CCI-000381 800-53r5: - CM-7 - CM-7(5) - 800-53r4: + 800-53r4: - CM-7 - CM-7(5) - srg: + srg: - SRG-OS-000095-GPOS-00049 - disa_stig: + disa_stig: - APPL-12-002052 800-171r2: - N/A @@ -36,5 +36,5 @@ severity: "medium" mobileconfig: true mobileconfig_info: com.apple.systempreferences: - HiddenPreferencePanes: + HiddenPreferencePanes: - com.apple.preferences.wallet diff --git a/docs/rules/sysprefs/sysprefs_wifi_disable.yaml b/docs/rules/sysprefs/sysprefs_wifi_disable.yaml index 63a2dac..e6ddf81 100644 --- a/docs/rules/sysprefs/sysprefs_wifi_disable.yaml +++ b/docs/rules/sysprefs/sysprefs_wifi_disable.yaml @@ -1,14 +1,14 @@ id: sysprefs_wifi_disable title: "Disable Wi-Fi Interface" discussion: | - The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. + The macOS system must be configured with Wi-Fi support software disabled if not connected to an authorized trusted network. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted it is necessary to use encryption to protect the confidentiality of information in transit.Wireless technologies include for example microwave packet radio (UHF/VHF) 802.11x and Bluetooth. Wireless networks use authentication protocols (e.g. EAP/TLS PEAP) which provide credential protection and mutual authentication. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | /usr/sbin/networksetup -listallnetworkservices | /usr/bin/grep -c "*Wi-Fi" -result: +result: integer: 1 fix: | To disable Wi-Fi on a macOS system, run the following command. @@ -26,7 +26,7 @@ references: - AC-18 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) @@ -45,15 +45,15 @@ references: macOS: - "12.0" tags: - - manual - - cnssi-1253 - - 800-53r4_low - - 800-53r4_moderate - - 800-53r4_high - - 800-53r5_low - - 800-53r5_moderate + - manual + - cnssi-1253 + - 800-53r4_low + - 800-53r4_moderate + - 800-53r4_high + - 800-53r5_low + - 800-53r5_moderate - 800-53r5_high - cisv8 severity: "medium" mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml b/docs/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml index fb834a1..5c20250 100644 --- a/docs/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml +++ b/docs/rules/sysprefs/sysprefs_wifi_disable_when_connected_to_ethernet.yaml @@ -1,9 +1,9 @@ id: sysprefs_wifi_disable_when_connected_to_ethernet title: "Disable Wi-Fi When Connected to Ethernet" discussion: | - The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. + The macOS should be configured to automatically disable Wi-Fi when connected to ethernet. - The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. + The use of Wi-Fi to connect to unauthorized networks may facilitate the exfiltration of mission data. Therefore, wireless networking capabilities internally embedded within information system components should be disabled when not intended to be used. NOTE: If the system requires Wi-Fi to connect to an authorized network, this is not applicable. check: | @@ -19,7 +19,7 @@ references: - AC-4 - AC-18(1) - AC-18(3) - 800-53r4: + 800-53r4: - AC-4 - AC-18(1) - AC-18(3) @@ -41,4 +41,4 @@ tags: - cnssi-1253 - permanent mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig_info: diff --git a/docs/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/docs/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index 2d4164e..ff69101 100644 --- a/docs/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/docs/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -14,15 +14,15 @@ fix: | references: cce: - CCE-91149-5 - cci: + cci: - N/A 800-53r5: - N/A - 800-53r4: + 800-53r4: - N/A srg: - N/A - disa_stig: + disa_stig: - N/A 800-171r2: - N/A @@ -41,4 +41,4 @@ tags: mobileconfig: true mobileconfig_info: com.apple.controlcenter: - WiFi: 18 \ No newline at end of file + WiFi: 18 diff --git a/docs/sections/auditing.yaml b/docs/sections/auditing.yaml index 6314ac5..2e075db 100644 --- a/docs/sections/auditing.yaml +++ b/docs/sections/auditing.yaml @@ -4,4 +4,4 @@ NOTE: The BSM Audit subsystem has been marked as deprecated by Apple. - NOTE: The check/fix commands outlined in this section _MUST_ be run with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section _MUST_ be run with elevated privileges. diff --git a/docs/sections/authentication.yaml b/docs/sections/authentication.yaml index 231871e..6d9b7f5 100644 --- a/docs/sections/authentication.yaml +++ b/docs/sections/authentication.yaml @@ -1,5 +1,5 @@ name: "Authentication" description: | - This section contains the configuration of authentication settings, including the enforcement of smartcard authentication. + This section contains the configuration of authentication settings, including the enforcement of smartcard authentication. - NOTE: The check/fix commands outlined in this section must be run with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section must be run with elevated privileges. diff --git a/docs/sections/icloud.yaml b/docs/sections/icloud.yaml index 21c43f4..1ae56a1 100644 --- a/docs/sections/icloud.yaml +++ b/docs/sections/icloud.yaml @@ -2,4 +2,4 @@ description: | This section contains the configuration and enforcement of iCloud and the Apple ID service settings. - NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with with elevated privileges. diff --git a/docs/sections/inherent.yaml b/docs/sections/inherent.yaml index 508b96b..2b8adc9 100644 --- a/docs/sections/inherent.yaml +++ b/docs/sections/inherent.yaml @@ -1,3 +1,3 @@ name: "Inherent" description: | - This section reviews the controls that are built-in to macOS, and cannot be configured out of compliance. \ No newline at end of file + This section reviews the controls that are built-in to macOS, and cannot be configured out of compliance. diff --git a/docs/sections/macos.yaml b/docs/sections/macos.yaml index fe81534..b7d6bfd 100644 --- a/docs/sections/macos.yaml +++ b/docs/sections/macos.yaml @@ -2,4 +2,4 @@ description: | This section contains the configuration and enforcement of operating system settings. - NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. diff --git a/docs/sections/not_applicable.yaml b/docs/sections/not_applicable.yaml index 0f6c224..692651d 100644 --- a/docs/sections/not_applicable.yaml +++ b/docs/sections/not_applicable.yaml @@ -1,3 +1,3 @@ name: "Not Applicable" description: | - This section contains the controls that are defined in the NIST 800-53 revision 5 but are not applicable when configuring a macOS system. \ No newline at end of file + This section contains the controls that are defined in the NIST 800-53 revision 5 but are not applicable when configuring a macOS system. diff --git a/docs/sections/passwordpolicy.yaml b/docs/sections/passwordpolicy.yaml index 02dd17b..f4120d1 100644 --- a/docs/sections/passwordpolicy.yaml +++ b/docs/sections/passwordpolicy.yaml @@ -2,11 +2,11 @@ description: | This section contains the configuration and enforcement of settings pertaining to password policies in macOS. - NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. + NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. [IMPORTANT] ==== The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. ==== - NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible. \ No newline at end of file + NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible. diff --git a/docs/sections/permanent.yaml b/docs/sections/permanent.yaml index 00b3d6b..17a6d00 100644 --- a/docs/sections/permanent.yaml +++ b/docs/sections/permanent.yaml @@ -1,3 +1,3 @@ name: "Permanent Findings" description: | - This section contains the controls that are defined in NIST 800-53 revision 5 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. \ No newline at end of file + This section contains the controls that are defined in NIST 800-53 revision 5 but are unable to be configured natively within macOS. It is recommended to implement a third-party solution to meet the controls in this section. diff --git a/docs/sections/srg.yaml b/docs/sections/srg.yaml index bd44926..88b9ab1 100644 --- a/docs/sections/srg.yaml +++ b/docs/sections/srg.yaml @@ -2,4 +2,4 @@ description: | This section contains rules and controls that are associated with DISA's security requirements guide for general purpose operating systems. - NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. diff --git a/docs/sections/supplemental.yaml b/docs/sections/supplemental.yaml index 5e04c50..e15f15a 100644 --- a/docs/sections/supplemental.yaml +++ b/docs/sections/supplemental.yaml @@ -1,3 +1,3 @@ name: "Supplemental" description: | - This section provides additional information to support the guidance provided by the baselines. \ No newline at end of file + This section provides additional information to support the guidance provided by the baselines. diff --git a/docs/sections/systempreferences.yaml b/docs/sections/systempreferences.yaml index 398a836..6b1ef44 100644 --- a/docs/sections/systempreferences.yaml +++ b/docs/sections/systempreferences.yaml @@ -2,4 +2,4 @@ description: | This section contains the configuration and enforcement of the settings within the macOS System Preferences application. - NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. \ No newline at end of file + NOTE: The check/fix commands outlined in this section _MUST_ be run by a user with elevated privileges. diff --git a/docs/templates/adoc_acronyms.adoc b/docs/templates/adoc_acronyms.adoc index c425e43..60ffca6 100644 --- a/docs/templates/adoc_acronyms.adoc +++ b/docs/templates/adoc_acronyms.adoc @@ -5,7 +5,7 @@ |AES|Advanced Encryption Standard |ABM|Apple Business Manager |AFP|Apple Filing Protocol -|ALF|Application Layer Firewall +|ALF|Application Layer Firewall |AO|Authorizing Official |API|Application Programming Interface |ARD|Apple Remote Desktop @@ -37,4 +37,4 @@ |STIG|Security Technical Implementation Guide |UAMDM|User Approved MDM |UUCP|Unix-to-Unix Copy Protocol -|==== \ No newline at end of file +|==== diff --git a/docs/templates/adoc_additional_docs.adoc b/docs/templates/adoc_additional_docs.adoc index 20627c5..25f63a0 100644 --- a/docs/templates/adoc_additional_docs.adoc +++ b/docs/templates/adoc_additional_docs.adoc @@ -35,7 +35,7 @@ ASSOCIATED DOCUMENTS .Committee on National Security Systems (CNSS) |=== |Document Number or Descriptor -|Document Title +|Document Title |link:https://www.cnss.gov/CNSS/issuances/Instructions.cfm[CNSSI No. 1253]|_Security Categorization and Control Selection for National Security Systems_ |=== @@ -58,4 +58,4 @@ ASSOCIATED DOCUMENTS |Document Number or Descriptor |Document Title |link:https://www.cisecurity.org/benchmark/apple_os/[Apple macOS 12.0]|_CIS Apple macOS 12.0 Benchmark version 1.0_ -|=== \ No newline at end of file +|=== diff --git a/docs/templates/adoc_authors.adoc b/docs/templates/adoc_authors.adoc index 1f78e65..849393c 100644 --- a/docs/templates/adoc_authors.adoc +++ b/docs/templates/adoc_authors.adoc @@ -14,4 +14,4 @@ $authors_list |Elyse Anderson|National Aeronautics and Space Administration |Gary Gapinski|National Aeronautics and Space Administration |=== -//// \ No newline at end of file +//// diff --git a/docs/templates/adoc_foreword.adoc b/docs/templates/adoc_foreword.adoc index 26dbf62..a3e1001 100644 --- a/docs/templates/adoc_foreword.adoc +++ b/docs/templates/adoc_foreword.adoc @@ -2,7 +2,7 @@ The macOS Security Compliance Project is an open source effort to provide a programmatic approach to generating security guidance. The configuration settings in this document were derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, _Security and Privacy Controls for Information Systems and Organizations_, Revision 5. -This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. +This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization. The objective of this effort was to simplify and radically accelerate the process of producing up-to-date macOS security guidance that is also accessible to any organization and tailorable to meet each organization’s specific security needs. diff --git a/docs/templates/adoc_rules_table_footer.adoc b/docs/templates/adoc_rules_table_footer.adoc index feaabad..89cd941 100644 --- a/docs/templates/adoc_rules_table_footer.adoc +++ b/docs/templates/adoc_rules_table_footer.adoc @@ -1 +1 @@ -|=== \ No newline at end of file +|=== diff --git a/docs/templates/adoc_rules_table_header.adoc b/docs/templates/adoc_rules_table_header.adoc index 525c9ee..6224776 100644 --- a/docs/templates/adoc_rules_table_header.adoc +++ b/docs/templates/adoc_rules_table_header.adoc @@ -6,4 +6,4 @@ |ID |Title -|Discussion \ No newline at end of file +|Discussion diff --git a/docs/templates/adoc_scope.adoc b/docs/templates/adoc_scope.adoc index 7c770e0..19487c5 100644 --- a/docs/templates/adoc_scope.adoc +++ b/docs/templates/adoc_scope.adoc @@ -1,3 +1,3 @@ == Scope -$scope_description \ No newline at end of file +$scope_description diff --git a/docs/templates/adoc_section.adoc b/docs/templates/adoc_section.adoc index 33f9caa..7306429 100644 --- a/docs/templates/adoc_section.adoc +++ b/docs/templates/adoc_section.adoc @@ -1,4 +1,3 @@ == $section_name $description - diff --git a/docs/templates/adoc_supplemental.adoc b/docs/templates/adoc_supplemental.adoc index 6b3ad18..fefb294 100644 --- a/docs/templates/adoc_supplemental.adoc +++ b/docs/templates/adoc_supplemental.adoc @@ -1,4 +1,3 @@ === $rule_title $rule_discussion - diff --git a/docs/templates/asciidoctor.css b/docs/templates/asciidoctor.css index 7b5d396..f45a5b3 100755 --- a/docs/templates/asciidoctor.css +++ b/docs/templates/asciidoctor.css @@ -430,4 +430,4 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b table.grid-all {border-collapse: collapse;} .doctitle{font-size:35px;text-align: center;} .docsub{font-size: 35px;text-align: center;} -.docver{font-size: 25px;text-align: center;} \ No newline at end of file +.docver{font-size: 25px;text-align: center;} diff --git a/docs/templates/pdf-theme.yml b/docs/templates/pdf-theme.yml index 6e1bcab..1d87d4a 100755 --- a/docs/templates/pdf-theme.yml +++ b/docs/templates/pdf-theme.yml @@ -19,10 +19,10 @@ footer: recto: right: content: ~ - center: + center: content: '{page-number} of {page-count}' verso: left: content: ~ center: - content: '{page-number} of {page-count}' \ No newline at end of file + content: '{page-number} of {page-count}' diff --git a/etc/hosts/blocklist.txt b/etc/hosts/blocklist.txt index 7c79567..392f577 100644 --- a/etc/hosts/blocklist.txt +++ b/etc/hosts/blocklist.txt @@ -1775260,4 +1775260,4 @@ 127.0.0.1 zzxxtra.com 127.0.0.1 zzzcomics.org 127.0.0.1 zzztube.ru -127.0.0.1 zzztube.tv \ No newline at end of file +127.0.0.1 zzztube.tv diff --git a/etc/pf/sample-pf.conf b/etc/pf/sample-pf.conf index 72ec977..5db94ed 100644 --- a/etc/pf/sample-pf.conf +++ b/etc/pf/sample-pf.conf @@ -11,7 +11,7 @@ # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. In addition, -# to the anchors loaded by this file, some system services would dynamically +# to the anchors loaded by this file, some system services would dynamically # insert anchors into the main ruleset. These anchors will be added only when # the system service is used and would removed on termination of the service. # diff --git a/etc/privoxy/user.action b/etc/privoxy/user.action index 2f823ef..de35411 100644 --- a/etc/privoxy/user.action +++ b/etc/privoxy/user.action @@ -581,9 +581,9 @@ connectivitycheck.gstatic.com/generate_204 ###################################################################### -# +# # File : $Source: /cvsroot/ijbswa/current/user.action,v $ -# +# # $Id: user.action,v 1.13 2011/11/06 11:36:01 fabiankeil Exp $ # # Purpose : User-maintained actions file, see @@ -596,7 +596,7 @@ connectivitycheck.gstatic.com/generate_204 # safe from updates to default.action.) Later defined actions always # take precedence, so anything defined here should have the last word. -# See http://www.privoxy.org/user-manual/actions-file.html, or the +# See http://www.privoxy.org/user-manual/actions-file.html, or the # comments in default.action, for an explanation of what an "action" is # and what each action does. @@ -620,12 +620,12 @@ connectivitycheck.gstatic.com/generate_204 # # Alias names are not case sensitive. # -# Aliases beginning with '+' or '-' may be used for system action names -# in future releases - so try to avoid alias names like this. (e.g. +# Aliases beginning with '+' or '-' may be used for system action names +# in future releases - so try to avoid alias names like this. (e.g. # "+crunch-all-cookies" below is not a good name) # # Aliases must be defined before they are used. -# +# # These aliases just save typing later: # +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies @@ -708,7 +708,7 @@ www.example.com/nasty-ads/sponsor.gif # The URLs of dynamically generated banners, especially from large banner # farms, often don't use the well-known image file name extensions, which # makes it impossible for Privoxy to guess the file type just by looking -# at the URL. +# at the URL. # You can use the +block-as-image alias defined above for these cases. # Note that objects which match this rule but then turn out NOT to be an # image are typically rendered as a "broken image" icon by the browser. @@ -730,7 +730,7 @@ www.example.com/nasty-ads/sponsor.gif # 'fragile' aliases disables those actions that are most likely to break # a site. Also, good for testing purposes to see if it is Privoxy that # is causing the problem or not. -# +# { fragile } #.forbes.com @@ -857,9 +857,9 @@ ad.admitad.com adash.m.taobao.com ###################################################################### -# +# # File : $Source: /cvsroot/ijbswa/current/user.action,v $ -# +# # $Id: user.action,v 1.13 2011/11/06 11:36:01 fabiankeil Exp $ # # Purpose : User-maintained actions file, see @@ -872,7 +872,7 @@ adash.m.taobao.com # safe from updates to default.action.) Later defined actions always # take precedence, so anything defined here should have the last word. -# See http://www.privoxy.org/user-manual/actions-file.html, or the +# See http://www.privoxy.org/user-manual/actions-file.html, or the # comments in default.action, for an explanation of what an "action" is # and what each action does. @@ -896,12 +896,12 @@ adash.m.taobao.com # # Alias names are not case sensitive. # -# Aliases beginning with '+' or '-' may be used for system action names -# in future releases - so try to avoid alias names like this. (e.g. +# Aliases beginning with '+' or '-' may be used for system action names +# in future releases - so try to avoid alias names like this. (e.g. # "+crunch-all-cookies" below is not a good name) # # Aliases must be defined before they are used. -# +# # These aliases just save typing later: # +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies @@ -984,7 +984,7 @@ www.example.com/nasty-ads/sponsor.gif # The URLs of dynamically generated banners, especially from large banner # farms, often don't use the well-known image file name extensions, which # makes it impossible for Privoxy to guess the file type just by looking -# at the URL. +# at the URL. # You can use the +block-as-image alias defined above for these cases. # Note that objects which match this rule but then turn out NOT to be an # image are typically rendered as a "broken image" icon by the browser. @@ -1002,7 +1002,7 @@ www.example.com/nasty-ads/sponsor.gif # 'fragile' aliases disables those actions that are most likely to break # a site. Also, good for testing purposes to see if it is Privoxy that # is causing the problem or not. -# +# { fragile } #.forbes.com @@ -42863,4 +42863,3 @@ videopremium.tv menstennisforums.com { -filter{accountsgooglecom_w} } accounts.google.com - diff --git a/etc/privoxy/user.filter b/etc/privoxy/user.filter index b501e2d..d1fd1be 100644 --- a/etc/privoxy/user.filter +++ b/etc/privoxy/user.filter @@ -1,21 +1,21 @@ # ******************************************************************** -# +# # File : $Source: /cvsroot/ijbswa/current/user.filter,v $ -# +# # $Id: user.filter,v 1.3 2008/05/21 20:17:03 fabiankeil Exp $ # # Purpose : Rules to process the content of web pages -# +# # Copyright : Written by and Copyright (C) 2006-2008 the # Privoxy team. http://www.privoxy.org/ # # We value your feedback. However, to provide you with the best support, # please note: -# +# # * Use the support forum to get help: # http://sourceforge.net/tracker/?group_id=11118&atid=211118 # * Submit bugs only thru our bug forum: -# http://sourceforge.net/tracker/?group_id=11118&atid=111118 +# http://sourceforge.net/tracker/?group_id=11118&atid=111118 # Make sure that the bug has not already been submitted. Please try # to verify that it is a Privoxy bug, and not a browser or site # bug first. If you are using your own custom configuration, please @@ -24,15 +24,15 @@ # please try the latest one. Or even better, CVS sources. # * Submit feature requests only thru our feature request forum: # http://sourceforge.net/tracker/?atid=361118&group_id=11118&func=browse -# +# # For any other issues, feel free to use the mailing lists: # http://sourceforge.net/mail/?group_id=11118 -# +# # Anyone interested in actively participating in development and related # discussions can join the appropriate mailing list here: # http://sourceforge.net/mail/?group_id=11118. Archives are available # here too. -# +# ################################################################################# # # Syntax: @@ -54,7 +54,7 @@ # # Note2: In addition to the Perl options gimsx, the following nonstandard # options are supported: -# +# # 'U' turns the default to ungreedy matching. Add ? to quantifiers to # switch back to greedy. # @@ -71,7 +71,7 @@ # escaping anything, therefore you also have to be careful not to chose # delimiters that appear in the replacement text. For example '<' should # be save, while '?' will sooner or later cause conflicts with $url. -# +# ################################################################################# # Ad Block Plus Filter @@ -39826,4 +39826,3 @@ s@\<([a-zA-Z0-9]+)\s+[^\>]*(\bclass=["']?([^"'\>]+\s+)?top_ads[\s"'\>])(/\>|\>.* FILTER: accountsgooglecom_w Whitelist filters for pattern accounts.google.com s@\<([a-zA-Z0-9]+)\s+[^\>]*(\bclass=["']?([^"'\>]+\s+)?adwords[\s"'\>])(/\>|\>.*?\<\/\1\>)@@igs - diff --git a/firefox b/firefox index 95081f6..6fb8b20 100644 --- a/firefox +++ b/firefox @@ -1,255 +1,255 @@ -accessibility.typeaheadfind.flashBar 0 -app.normandy.first_run false -app.normandy.migrationsApplied 12 -app.normandy.user_id 8d6489f6-d3dd-4c41-ae04-4d5935293a82 -app.shield.optoutstudies.enabled false -app.update.background.previous.reasons ["the maintenance service registry key is not present"] -app.update.lastUpdateTime.addon-background-update-timer 1651249169 -app.update.lastUpdateTime.background-update-timer 1651248172 -app.update.lastUpdateTime.browser-cleanup-thumbnails 1651269633 -app.update.lastUpdateTime.recipe-client-addon-run 1651270012 -app.update.lastUpdateTime.region-update-timer 1650903230 -app.update.lastUpdateTime.rs-experiment-loader-timer 1650907070 -app.update.lastUpdateTime.search-engine-update-timer 1651266292 -app.update.lastUpdateTime.services-settings-poll-changes 1651249049 -app.update.lastUpdateTime.telemetry_modules_ping 1650902300 -app.update.lastUpdateTime.xpi-signature-verification 1651249289 -browser.aboutConfig.showWarning false -browser.bookmarks.defaultLocation 186UoPYwIbmZ -browser.bookmarks.editDialog.confirmationHintShowCount 3 -browser.bookmarks.restore_default_bookmarks false -browser.contentblocking.category strict -browser.contextual-services.contextId {3e64b96e-0ceb-497b-a64f-f16bf4402741} -browser.discovery.enabled false -browser.download.panel.shown true -browser.download.viewableInternally.typeWasRegistered.avif true -browser.download.viewableInternally.typeWasRegistered.webp true -browser.engagement.downloads-button.has-used true -browser.laterrun.bookkeeping.profileCreationTime 1650902239 -browser.laterrun.bookkeeping.sessionCount 9 -browser.laterrun.enabled true -browser.migration.version 125 -browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons false -browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features false -browser.newtabpage.activity-stream.discoverystream.rec.impressions {"126520":1650902276940,"126556":1650902276941,"126604":1650907071710,"191703431":1650909341382} -browser.newtabpage.activity-stream.discoverystream.spoc.impressions {"169420175":[1650907071694,1650907264240,1650907323560,1650908230500,1650909341380]} -browser.newtabpage.activity-stream.feeds.discoverystreamfeed false -browser.newtabpage.activity-stream.feeds.section.topstories false -browser.newtabpage.activity-stream.feeds.telemetry false -browser.newtabpage.activity-stream.feeds.topsites false -browser.newtabpage.activity-stream.impressionId {3c0457d0-df27-4114-bfb8-fbf24787a2f4} -browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned amazon,google -browser.newtabpage.activity-stream.section.highlights.includeBookmarks false -browser.newtabpage.activity-stream.section.highlights.includeDownloads false -browser.newtabpage.activity-stream.section.highlights.includePocket false -browser.newtabpage.activity-stream.section.highlights.includeVisited false -browser.newtabpage.activity-stream.showSponsored false -browser.newtabpage.activity-stream.showSponsoredTopSites false -browser.newtabpage.pinned [{"url":"https://amazon.com","label":"@amazon","searchTopSite":true},{"url":"https://google.com","label":"@google","searchTopSite":true}] -browser.newtabpage.storageVersion 1 -browser.pageActions.persistedActions {"ids":["bookmark","_c607c8df-14a7-4f28-894f-29e8722976af_","canvasblocker_kkapsner_de"],"idsInUrlbar":["_c607c8df-14a7-4f28-894f-29e8722976af_","canvasblocker_kkapsner_de","bookmark"],"idsInUrlbarPreProton":[],"version":1} -browser.pagethumbnails.storage_version 3 -browser.ping-centre.telemetry false -browser.privatebrowsing.autostart true -browser.protections_panel.infoMessage.seen true -browser.proton.toolbar.version 3 -browser.region.update.updated 1650902242 -browser.safebrowsing.provider.google4.lastupdatetime 1651269403293 -browser.safebrowsing.provider.google4.nextupdatetime 1651271200293 -browser.safebrowsing.provider.mozilla.lastupdatetime 1651250288230 -browser.safebrowsing.provider.mozilla.nextupdatetime 1651271888230 -browser.search.hiddenOneOffs Wikipedia (en) -browser.search.region US -browser.search.suggest.enabled false -browser.shell.didSkipDefaultBrowserCheckOnFirstRun true -browser.shell.mostRecentDateSetAsDefault 1651070972 -browser.startup.couldRestoreSession.count 1 -browser.startup.homepage_override.buildID 20220411174855 -browser.startup.homepage_override.mstone 99.0.1 -browser.startup.lastColdStartupCheck 1651070972 -browser.tabs.crashReporting.sendReport false -browser.theme.content-theme 0 -browser.theme.toolbar-theme 0 -browser.uiCustomization.state {"placements":{"widget-overflow-fixed-list":[],"nav-bar":["back-button","forward-button","stop-reload-button","customizableui-special-spring1","urlbar-container","customizableui-special-spring2","save-to-pocket-button","downloads-button","fxa-toolbar-menu-button","_c0f619ac-25fb-43b6-954d-823fef95c834_-browser-action","ublock0_raymondhill_net-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","cookieautodelete_kennydo_com-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_019b606a-6f61-4d01-af2a-cea528f606da_-browser-action","canvasblocker_kkapsner_de-browser-action"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button","_c607c8df-14a7-4f28-894f-29e8722976af_-browser-action"],"PersonalToolbar":["personal-bookmarks"]},"seen":["save-to-pocket-button","developer-button","_c0f619ac-25fb-43b6-954d-823fef95c834_-browser-action","ublock0_raymondhill_net-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","cookieautodelete_kennydo_com-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_019b606a-6f61-4d01-af2a-cea528f606da_-browser-action","_c607c8df-14a7-4f28-894f-29e8722976af_-browser-action","canvasblocker_kkapsner_de-browser-action"],"dirtyAreaCache":["nav-bar","PersonalToolbar","TabsToolbar"],"currentVersion":17,"newElementCount":2} -browser.urlbar.placeholderName Google -browser.urlbar.quicksuggest.migrationVersion 2 -browser.urlbar.quicksuggest.scenario offline -browser.urlbar.shortcuts.bookmarks false -browser.urlbar.shortcuts.history false -browser.urlbar.shortcuts.tabs false -browser.urlbar.suggest.bookmark false -browser.urlbar.suggest.history false -browser.urlbar.suggest.openpage false -browser.urlbar.suggest.quicksuggest.nonsponsored false -browser.urlbar.suggest.quicksuggest.sponsored false -browser.urlbar.suggest.topsites false -datareporting.healthreport.uploadEnabled false -datareporting.policy.dataSubmissionPolicyAcceptedVersion 2 -datareporting.policy.dataSubmissionPolicyNotifiedTime 1650902242109 -devtools.debugger.pending-selected-location {"sourceId":"source-https://meet.google.com/_/scs/mss-static/_/js/k=boq-rtc.MeetingsUi.en.QgzuVNXcgx0.2020.O/ck=boq-rtc.MeetingsUi.S5lTOpzhCsg.L.F4.O/am=IgDAAAEAeg0kAEgZNgEgMABBAAAgKEAH5OUHAACAGDAACDgDwIAkgAAAAEACMgMAFGAAAF4CgIyCxACA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,calldesktoppageview/esmo=1/ed=1/wt=2/rs=AL5CKSHQTHw1r9a5csKzOGIegMrkXmwhOA/ee=cEt90b:ws9Tlc;rXjWyb:VWuaCc;uY49fb:COQbmf;oGtAuc:sOXFj;SVOR2e:RqS4qe;yxTchf:KUM7Z;qddgKe:xQtZb;dIoSBb:SpsfSb;BjCzpe:Yvr34d;BVZWad:llTWPd;kqpyR:oFF0ab;gAClPb:ghdkwd;ZaFVgc:wOWhl;b3iZcb:celsfc;giw6qf:EcLnpd;iKsOgb:cWjcJb;lbbWme:daIyVc;h315Eb:VkDogc;eBAeSb:zbML3c;CG6AQc:krpgkb;hoquJe:EjBUIf;MJ6mxb:ubdYZ;BRmVff:HS5Yaf;PRDQhf:ux3mLc;zWcMwf:K9Wjeb;rUAape:NePQb;w1T0Td:xpWMVc;l6twR:Fvyyad;SIjcAd:jrKD8b;jtBjNe:dWHZee;lJ7cgb:Erp0q;NSEoX:lazG7b;X6zUkd:u0z0vd;cFl0Ie:PWJipc;rI0Pr:Cqvedd;x2i2de:zeWni;BVdD3:kUrwYe;brLlgb:SCXWAb;XLRw3e:OcCk8d;reHXFb:qZ6i3c;brg6Gd:TlvL3b;YBihAb:oeIFub;esl3oe:Qz2vJf;dYFttf:ZRxAzc;zxnPse:GkRiKb;EVNhjf:pw70Gc;cYTQve:bmEjgc;RYWUUc:anescc;vKM7Jb:cWjcJb;io8t5d:yDVVkb;j7137d:KG2eXe;Oj465e:KG2eXe;ul9GGd:JrBFQb;sP4Vbe:VwDzFe;kMFpHd:blwjVc;NPKaK:SdcwHb;pXdRYb:MdUzUe;nAFL3:s39S4;iFQyKf:QIhFr;SNUn3:ZwDk9d;LBgRLc:SdcwHb;wR5FRb:O1Gjze/m=n73qwf,ws9Tlc,e5qFLc,GkRiKb,IZT63,UUJqVe,O1Gjze,xUdipf,blwjVc,fKUV3e,aurFic,COQbmf,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,XU5LFb,m9oV,hl,rrm,jKHFJb,WO9ee,T6U9J,lHoXXe,SFhYHb,rsr,oFF0ab,sVRBvb,AePfdf,RqS4qe,t8N1l,k2r0oe,hIrTA,nUMwj,FMq9Lb,g1cBhf,O6y8ed,PrPYRd,MpJwZc,NwH0H,OmgaI,lazG7b,Mpq4Ee,g9HNd,MsyKad,ma,tQz2Ve,Yvr34d,XVMNvd,L1AAkb,KUM7Z,VWuaCc,Fl2dbf,GcAaod,vaToBb,rn9YO,Y0bgVb,s39S4,lwddkf,gychg,w9hDv,RMhBfe,tgTcU,FJm4Gb,lAg79c,TH1Apc,SdcwHb,aW3pY,P1S3zf,DM8swd,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,Ivl8bd,kbLDWb,I6YDgd,N5Lqpc,fgj8Rb,xQtZb,PQaYAf,y4Nztd,gJzDyc,JNoxi,MI6k7c,kjKdXe,texUgd,xGC4Gb,BVgquf,llTWPd,lPKSwe,EcLnpd,QIhFr,lfpdyf,FYCkde,hKSk3e,FSOnAf,wfcdnd,cilABe,qexExd,DNsE7e,jdrlZe,sIckOb,swpmp,yllLZc,gtEOic,CvtcN,sszRX,wiZ2v,QQnX0,yDVVkb,oUdseb,sPwFo,CJeEuc,tZtmyd,Tnlgmf,dWHZee,LTMqbe,uRj5Ac,Z7OaKe,DPQwOe,DDvSYd,NNJERe,hc6Ubd,IVuTze,yF5Ngd,ggZMAe,Lamzc,KG2eXe,SpsfSb,cWjcJb,zthRrb,MdUzUe,NHietc,LgZW9b,Y87did,fPeTAb,VwDzFe,zbU9W,alwr6,Ebsiqd,ixOrqc,dlck6b,kmkrAf,n5Xbsc,zbML3c,A7fCU,Uas9Hd,a9EW5e,JGjVRe,hIO81e,pjICDe","line":1959,"column":120,"url":"https://meet.google.com/_/scs/mss-static/_/js/k=boq-rtc.MeetingsUi.en.QgzuVNXcgx0.2020.O/ck=boq-rtc.MeetingsUi.S5lTOpzhCsg.L.F4.O/am=IgDAAAEAeg0kAEgZNgEgMABBAAAgKEAH5OUHAACAGDAACDgDwIAkgAAAAEACMgMAFGAAAF4CgIyCxACA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,calldesktoppageview/esmo=1/ed=1/wt=2/rs=AL5CKSHQTHw1r9a5csKzOGIegMrkXmwhOA/ee=cEt90b:ws9Tlc;rXjWyb:VWuaCc;uY49fb:COQbmf;oGtAuc:sOXFj;SVOR2e:RqS4qe;yxTchf:KUM7Z;qddgKe:xQtZb;dIoSBb:SpsfSb;BjCzpe:Yvr34d;BVZWad:llTWPd;kqpyR:oFF0ab;gAClPb:ghdkwd;ZaFVgc:wOWhl;b3iZcb:celsfc;giw6qf:EcLnpd;iKsOgb:cWjcJb;lbbWme:daIyVc;h315Eb:VkDogc;eBAeSb:zbML3c;CG6AQc:krpgkb;hoquJe:EjBUIf;MJ6mxb:ubdYZ;BRmVff:HS5Yaf;PRDQhf:ux3mLc;zWcMwf:K9Wjeb;rUAape:NePQb;w1T0Td:xpWMVc;l6twR:Fvyyad;SIjcAd:jrKD8b;jtBjNe:dWHZee;lJ7cgb:Erp0q;NSEoX:lazG7b;X6zUkd:u0z0vd;cFl0Ie:PWJipc;rI0Pr:Cqvedd;x2i2de:zeWni;BVdD3:kUrwYe;brLlgb:SCXWAb;XLRw3e:OcCk8d;reHXFb:qZ6i3c;brg6Gd:TlvL3b;YBihAb:oeIFub;esl3oe:Qz2vJf;dYFttf:ZRxAzc;zxnPse:GkRiKb;EVNhjf:pw70Gc;cYTQve:bmEjgc;RYWUUc:anescc;vKM7Jb:cWjcJb;io8t5d:yDVVkb;j7137d:KG2eXe;Oj465e:KG2eXe;ul9GGd:JrBFQb;sP4Vbe:VwDzFe;kMFpHd:blwjVc;NPKaK:SdcwHb;pXdRYb:MdUzUe;nAFL3:s39S4;iFQyKf:QIhFr;SNUn3:ZwDk9d;LBgRLc:SdcwHb;wR5FRb:O1Gjze/m=n73qwf,ws9Tlc,e5qFLc,GkRiKb,IZT63,UUJqVe,O1Gjze,xUdipf,blwjVc,fKUV3e,aurFic,COQbmf,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,XU5LFb,m9oV,hl,rrm,jKHFJb,WO9ee,T6U9J,lHoXXe,SFhYHb,rsr,oFF0ab,sVRBvb,AePfdf,RqS4qe,t8N1l,k2r0oe,hIrTA,nUMwj,FMq9Lb,g1cBhf,O6y8ed,PrPYRd,MpJwZc,NwH0H,OmgaI,lazG7b,Mpq4Ee,g9HNd,MsyKad,ma,tQz2Ve,Yvr34d,XVMNvd,L1AAkb,KUM7Z,VWuaCc,Fl2dbf,GcAaod,vaToBb,rn9YO,Y0bgVb,s39S4,lwddkf,gychg,w9hDv,RMhBfe,tgTcU,FJm4Gb,lAg79c,TH1Apc,SdcwHb,aW3pY,P1S3zf,DM8swd,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,Ivl8bd,kbLDWb,I6YDgd,N5Lqpc,fgj8Rb,xQtZb,PQaYAf,y4Nztd,gJzDyc,JNoxi,MI6k7c,kjKdXe,texUgd,xGC4Gb,BVgquf,llTWPd,lPKSwe,EcLnpd,QIhFr,lfpdyf,FYCkde,hKSk3e,FSOnAf,wfcdnd,cilABe,qexExd,DNsE7e,jdrlZe,sIckOb,swpmp,yllLZc,gtEOic,CvtcN,sszRX,wiZ2v,QQnX0,yDVVkb,oUdseb,sPwFo,CJeEuc,tZtmyd,Tnlgmf,dWHZee,LTMqbe,uRj5Ac,Z7OaKe,DPQwOe,DDvSYd,NNJERe,hc6Ubd,IVuTze,yF5Ngd,ggZMAe,Lamzc,KG2eXe,SpsfSb,cWjcJb,zthRrb,MdUzUe,NHietc,LgZW9b,Y87did,fPeTAb,VwDzFe,zbU9W,alwr6,Ebsiqd,ixOrqc,dlck6b,kmkrAf,n5Xbsc,zbML3c,A7fCU,Uas9Hd,a9EW5e,JGjVRe,hIO81e,pjICDe"} -devtools.debugger.prefs-schema-version 11 -devtools.everOpened true -devtools.netmonitor.columnsData [{"name":"status","minWidth":30,"width":6.11},{"name":"method","minWidth":30,"width":6.11},{"name":"domain","minWidth":30,"width":15.12},{"name":"file","minWidth":30,"width":30.57},{"name":"url","minWidth":30,"width":25},{"name":"initiator","minWidth":30,"width":12.22},{"name":"type","minWidth":30,"width":6.11},{"name":"transferred","minWidth":30,"width":12.22},{"name":"contentSize","minWidth":30,"width":3.22},{"name":"waterfall","minWidth":150,"width":8.33}] -devtools.netmonitor.msg.visibleColumns ["data","time"] -devtools.theme.show-auto-theme-info false -devtools.toolbox.footer.height 461 -devtools.toolbox.selectedTool webconsole -devtools.toolbox.splitconsoleEnabled true -devtools.toolbox.splitconsoleHeight 375 -devtools.toolsidebar-height.inspector 350 -devtools.toolsidebar-width.inspector 700 -devtools.toolsidebar-width.inspector.splitsidebar 350 -distribution.iniFile.exists.appversion 99.0.1 -distribution.iniFile.exists.value false -doh-rollout.balrog-migration-done true -doh-rollout.disable-heuristics true -doh-rollout.doneFirstRun true -doh-rollout.doorhanger-decision UIOk -doh-rollout.home-region US -doh-rollout.uri https://mozilla.cloudflare-dns.com/dns-query -dom.forms.autocomplete.formautofill true -dom.push.userAgentID eee254f257bf427ab0efd45620c2a48a -dom.security.https_only_mode true -dom.security.https_only_mode_ever_enabled true -extensions.activeThemeID firefox-compact-dark@mozilla.org -extensions.blocklist.pingCountVersion 0 -extensions.databaseSchema 35 -extensions.formautofill.addresses.enabled false -extensions.formautofill.creditCards.enabled false -extensions.getAddons.cache.lastUpdate 1651249169 -extensions.getAddons.databaseSchema 6 -extensions.lastAppBuildId 20220411174855 -extensions.lastAppVersion 99.0.1 -extensions.lastPlatformVersion 99.0.1 -extensions.pendingOperations false -extensions.pictureinpicture.enable_picture_in_picture_overrides true -extensions.pocket.enabled false -extensions.systemAddonSet {"schema":1,"addons":{}} -extensions.ui.dictionary.hidden true -extensions.ui.lastCategory addons://list/extension -extensions.ui.locale.hidden true -extensions.ui.sitepermission.hidden true -extensions.webcompat.enable_shims true -extensions.webcompat.perform_injections true -extensions.webcompat.perform_ua_overrides true -extensions.webextensions.ExtensionStorageIDB.migrated.CanvasBlocker@kkapsner.de true -extensions.webextensions.ExtensionStorageIDB.migrated.CookieAutoDelete@kennydo.com true -extensions.webextensions.ExtensionStorageIDB.migrated.jid1-BoFifL9Vbdl2zQ@jetpack true -extensions.webextensions.ExtensionStorageIDB.migrated.screenshots@mozilla.org true -extensions.webextensions.ExtensionStorageIDB.migrated.uBlock0@raymondhill.net true -extensions.webextensions.ExtensionStorageIDB.migrated.{019b606a-6f61-4d01-af2a-cea528f606da} true -extensions.webextensions.ExtensionStorageIDB.migrated.{74145f27-f039-47ce-a470-a662b129930a} true -extensions.webextensions.ExtensionStorageIDB.migrated.{c607c8df-14a7-4f28-894f-29e8722976af} true -extensions.webextensions.uuids {"doh-rollout@mozilla.org":"697982b2-2d7e-469f-88b3-d737abb91494","formautofill@mozilla.org":"ee90b89c-d5e1-4844-879d-5e272ca8b3b8","pictureinpicture@mozilla.org":"f48e89ba-4dda-442b-a826-1a279f933e83","screenshots@mozilla.org":"ea59b9b6-7035-4aeb-9c84-aaf3e6b53ecf","webcompat-reporter@mozilla.org":"120d9b52-8c85-45f6-b656-d327ac7895ba","webcompat@mozilla.org":"8d0110be-75f1-428c-8361-8dffd5bb7a30","default-theme@mozilla.org":"07e13289-2884-4aef-b07e-049816cbbaff","addons-search-detection@mozilla.com":"bd0f4204-c56a-4c55-853f-5c5e5022b619","google@search.mozilla.org":"f7f3a248-e2b2-4e8b-bba7-891d274e2a01","amazondotcom@search.mozilla.org":"4ea915db-0693-4fb5-b43f-786329b8e8b6","wikipedia@search.mozilla.org":"2b9f44a1-f0b7-4944-acd4-1d0ef3507e34","bing@search.mozilla.org":"e48f6a9d-54d8-4417-af3c-25cc70297278","ddg@search.mozilla.org":"bfe5b2ef-a9f7-4a61-82be-f293de92d3d5","ebay@search.mozilla.org":"3797d472-59a9-42a9-bb44-56a5c0d89d97","firefox-compact-dark@mozilla.org":"2f3a2973-437b-4a20-8ddc-cbadf8a04831","{c0f619ac-25fb-43b6-954d-823fef95c834}":"5da68bb4-db07-4dcf-b6df-4922ec983bb8","uBlock0@raymondhill.net":"3a5f7e3a-e5b6-4a71-a929-8327a87aa195","jid1-BoFifL9Vbdl2zQ@jetpack":"e909903e-19ab-4455-917c-d52fe9663dc8","CookieAutoDelete@kennydo.com":"a123e5cf-29f5-4804-a088-28e5d955067f","{74145f27-f039-47ce-a470-a662b129930a}":"e73f13bc-96a0-4b69-9278-c87dfc816af4","{019b606a-6f61-4d01-af2a-cea528f606da}":"946706b4-c198-4eb2-8f90-f5f54b989097","{c607c8df-14a7-4f28-894f-29e8722976af}":"142a2599-9b5c-42f2-a100-b5157759b00f","CanvasBlocker-Beta@kkapsner.de":"5aa79ac6-cd58-4de2-9c9d-96c6b018c4c0","CanvasBlocker@kkapsner.de":"1fdb1e14-3ae7-4f03-91f1-25797cfdede4","plugin@okta.com":"c8553349-3a1d-4906-a3fc-cc48c30771d9"} -fission.experiment.max-origins.last-disqualified 1651270264 -fission.experiment.max-origins.last-qualified 1651249644 -fission.experiment.max-origins.qualified false -gecko.handlerService.defaultHandlersVersion 1 -geo.enabled false -identity.fxaccounts.enabled false -idle.lastDailyNotification 1651183323 -layout.spellcheckDefault 0 -media.autoplay.default 5 -media.gmp-gmpopenh264.abi x86_64-gcc3 -media.gmp-gmpopenh264.lastUpdate 1650902782 -media.gmp-gmpopenh264.version 1.8.1.1 -media.gmp-manager.buildID 20220411174855 -media.gmp-manager.lastCheck 1651035544 -media.gmp-widevinecdm.abi x86_64-gcc3 -media.gmp-widevinecdm.lastUpdate 1650902783 -media.gmp-widevinecdm.version 4.10.2391.0 -media.gmp.storage.version.observed 1 -media.videocontrols.picture-in-picture.video-toggle.has-used true -network.cookie.cookieBehavior 5 -network.cookie.lifetimePolicy 2 -network.dns.disablePrefetch true -network.http.referer.disallowCrossSiteRelaxingDefault true -network.http.sendRefererHeader 0 -network.http.speculative-parallel-limit 0 -network.predictor.enabled false -network.prefetch-next false -network.proxy.socks_remote_dns true -network.trr.custom_uri 127.0.0.1 -network.trr.mode 2 -network.trr.uri 127.0.0.1 -pdfjs.enableScripting false -pdfjs.enabledCache.state true -pdfjs.migrationVersion 2 -permissions.default.desktop-notification 2 -permissions.default.geo 2 -places.database.lastMaintenance 1650902941 -privacy.annotate_channels.strict_list.enabled true -privacy.donottrackheader.enabled true -privacy.firstparty.isolate true -privacy.partition.network_state.ocsp_cache true -privacy.purge_trackers.date_in_cookie_database 0 -privacy.purge_trackers.last_purge 1651183323410 -privacy.resistFingerprinting true -privacy.sanitize.pending [{"id":"newtab-container","itemsToClear":[],"options":{}}] -privacy.trackingprotection.enabled true -privacy.trackingprotection.socialtracking.enabled true -privacy.userContext.enabled true -privacy.userContext.extension CanvasBlocker@kkapsner.de -privacy.userContext.ui.enabled true -security.enterprise_roots.auto-enabled true -security.enterprise_roots.enabled true -security.remote_settings.crlite_filters.checked 1651266212 -security.remote_settings.intermediates.checked 1651244745 -security.sandbox.content.tempDirSuffix df7cba1a-d39d-47ea-b813-d27cee705e33 -security.ssl.require_safe_negotiation true -security.ssl3.deprecated.rsa_des_ede3_sha false -services.blocklist.addons-mlbf.checked 1651171370 -services.blocklist.gfx.checked 1651076249 -services.settings.clock_skew_seconds 0 -services.settings.last_etag "1651265838569" -services.settings.last_update_seconds 1651266212 -services.settings.main.anti-tracking-url-decoration.last_check 1651076249 -services.settings.main.cfr.last_check 1651076249 -services.settings.main.devtools-compatibility-browsers.last_check 1651179479 -services.settings.main.doh-config.last_check 1651076249 -services.settings.main.doh-providers.last_check 1651076249 -services.settings.main.fxmonitor-breaches.last_check 1651076249 -services.settings.main.hijack-blocklists.last_check 1651076249 -services.settings.main.language-dictionaries.last_check 1651076249 -services.settings.main.message-groups.last_check 1651076249 -services.settings.main.nimbus-desktop-experiments.last_check 1651167455 -services.settings.main.normandy-recipes-capabilities.last_check 1651104326 -services.settings.main.partitioning-exempt-urls.last_check 1651076249 -services.settings.main.password-recipes.last_check 1651076249 -services.settings.main.password-rules.last_check 1651076249 -services.settings.main.personality-provider-models.last_check 1651076249 -services.settings.main.personality-provider-recipe.last_check 1651076249 -services.settings.main.pioneer-study-addons-v1.last_check 1651076249 -services.settings.main.public-suffix-list.last_check 1651076249 -services.settings.main.query-stripping.last_check 1651076249 -services.settings.main.quicksuggest.last_check 1651076249 -services.settings.main.search-config.last_check 1651076249 -services.settings.main.search-default-override-allowlist.last_check 1651076249 -services.settings.main.search-telemetry-v2.last_check 1651076249 -services.settings.main.sites-classification.last_check 1651076249 -services.settings.main.tippytop.last_check 1651076249 -services.settings.main.top-sites.last_check 1651076249 -services.settings.main.url-classifier-skip-urls.last_check 1651076249 -services.settings.main.websites-with-shared-credential-backends.last_check 1651076249 -services.settings.main.whats-new-panel.last_check 1651076249 -services.settings.security.onecrl.checked 1651076249 -services.sync.clients.lastSync 0 -services.sync.declinedEngines -services.sync.engine.addresses.available true -services.sync.globalScore 0 -services.sync.nextSync 0 -services.sync.tabs.lastSync 0 -signon.autofillForms false -signon.generation.enabled false -signon.rememberSignons false -storage.vacuum.last.index 1 -storage.vacuum.last.places.sqlite 1650902941 -toolkit.startup.last_success 1651070971 -toolkit.telemetry.cachedClientID c0ffeec0-ffee-c0ff-eec0-ffeec0ffeec0 -toolkit.telemetry.pioneer-new-studies-available true -toolkit.telemetry.previousBuildID 20220411174855 -toolkit.telemetry.reportingpolicy.firstRun false -toolkit.telemetry.server -toolkit.telemetry.unified false -trailhead.firstrun.didSeeAboutWelcome true -webgl.disabled true \ No newline at end of file +accessibility.typeaheadfind.flashBar 0 +app.normandy.first_run false +app.normandy.migrationsApplied 12 +app.normandy.user_id 8d6489f6-d3dd-4c41-ae04-4d5935293a82 +app.shield.optoutstudies.enabled false +app.update.background.previous.reasons ["the maintenance service registry key is not present"] +app.update.lastUpdateTime.addon-background-update-timer 1651249169 +app.update.lastUpdateTime.background-update-timer 1651248172 +app.update.lastUpdateTime.browser-cleanup-thumbnails 1651269633 +app.update.lastUpdateTime.recipe-client-addon-run 1651270012 +app.update.lastUpdateTime.region-update-timer 1650903230 +app.update.lastUpdateTime.rs-experiment-loader-timer 1650907070 +app.update.lastUpdateTime.search-engine-update-timer 1651266292 +app.update.lastUpdateTime.services-settings-poll-changes 1651249049 +app.update.lastUpdateTime.telemetry_modules_ping 1650902300 +app.update.lastUpdateTime.xpi-signature-verification 1651249289 +browser.aboutConfig.showWarning false +browser.bookmarks.defaultLocation 186UoPYwIbmZ +browser.bookmarks.editDialog.confirmationHintShowCount 3 +browser.bookmarks.restore_default_bookmarks false +browser.contentblocking.category strict +browser.contextual-services.contextId {3e64b96e-0ceb-497b-a64f-f16bf4402741} +browser.discovery.enabled false +browser.download.panel.shown true +browser.download.viewableInternally.typeWasRegistered.avif true +browser.download.viewableInternally.typeWasRegistered.webp true +browser.engagement.downloads-button.has-used true +browser.laterrun.bookkeeping.profileCreationTime 1650902239 +browser.laterrun.bookkeeping.sessionCount 9 +browser.laterrun.enabled true +browser.migration.version 125 +browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons false +browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features false +browser.newtabpage.activity-stream.discoverystream.rec.impressions {"126520":1650902276940,"126556":1650902276941,"126604":1650907071710,"191703431":1650909341382} +browser.newtabpage.activity-stream.discoverystream.spoc.impressions {"169420175":[1650907071694,1650907264240,1650907323560,1650908230500,1650909341380]} +browser.newtabpage.activity-stream.feeds.discoverystreamfeed false +browser.newtabpage.activity-stream.feeds.section.topstories false +browser.newtabpage.activity-stream.feeds.telemetry false +browser.newtabpage.activity-stream.feeds.topsites false +browser.newtabpage.activity-stream.impressionId {3c0457d0-df27-4114-bfb8-fbf24787a2f4} +browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned amazon,google +browser.newtabpage.activity-stream.section.highlights.includeBookmarks false +browser.newtabpage.activity-stream.section.highlights.includeDownloads false +browser.newtabpage.activity-stream.section.highlights.includePocket false +browser.newtabpage.activity-stream.section.highlights.includeVisited false +browser.newtabpage.activity-stream.showSponsored false +browser.newtabpage.activity-stream.showSponsoredTopSites false +browser.newtabpage.pinned [{"url":"https://amazon.com","label":"@amazon","searchTopSite":true},{"url":"https://google.com","label":"@google","searchTopSite":true}] +browser.newtabpage.storageVersion 1 +browser.pageActions.persistedActions {"ids":["bookmark","_c607c8df-14a7-4f28-894f-29e8722976af_","canvasblocker_kkapsner_de"],"idsInUrlbar":["_c607c8df-14a7-4f28-894f-29e8722976af_","canvasblocker_kkapsner_de","bookmark"],"idsInUrlbarPreProton":[],"version":1} +browser.pagethumbnails.storage_version 3 +browser.ping-centre.telemetry false +browser.privatebrowsing.autostart true +browser.protections_panel.infoMessage.seen true +browser.proton.toolbar.version 3 +browser.region.update.updated 1650902242 +browser.safebrowsing.provider.google4.lastupdatetime 1651269403293 +browser.safebrowsing.provider.google4.nextupdatetime 1651271200293 +browser.safebrowsing.provider.mozilla.lastupdatetime 1651250288230 +browser.safebrowsing.provider.mozilla.nextupdatetime 1651271888230 +browser.search.hiddenOneOffs Wikipedia (en) +browser.search.region US +browser.search.suggest.enabled false +browser.shell.didSkipDefaultBrowserCheckOnFirstRun true +browser.shell.mostRecentDateSetAsDefault 1651070972 +browser.startup.couldRestoreSession.count 1 +browser.startup.homepage_override.buildID 20220411174855 +browser.startup.homepage_override.mstone 99.0.1 +browser.startup.lastColdStartupCheck 1651070972 +browser.tabs.crashReporting.sendReport false +browser.theme.content-theme 0 +browser.theme.toolbar-theme 0 +browser.uiCustomization.state {"placements":{"widget-overflow-fixed-list":[],"nav-bar":["back-button","forward-button","stop-reload-button","customizableui-special-spring1","urlbar-container","customizableui-special-spring2","save-to-pocket-button","downloads-button","fxa-toolbar-menu-button","_c0f619ac-25fb-43b6-954d-823fef95c834_-browser-action","ublock0_raymondhill_net-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","cookieautodelete_kennydo_com-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_019b606a-6f61-4d01-af2a-cea528f606da_-browser-action","canvasblocker_kkapsner_de-browser-action"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button","_c607c8df-14a7-4f28-894f-29e8722976af_-browser-action"],"PersonalToolbar":["personal-bookmarks"]},"seen":["save-to-pocket-button","developer-button","_c0f619ac-25fb-43b6-954d-823fef95c834_-browser-action","ublock0_raymondhill_net-browser-action","jid1-bofifl9vbdl2zq_jetpack-browser-action","cookieautodelete_kennydo_com-browser-action","_74145f27-f039-47ce-a470-a662b129930a_-browser-action","_019b606a-6f61-4d01-af2a-cea528f606da_-browser-action","_c607c8df-14a7-4f28-894f-29e8722976af_-browser-action","canvasblocker_kkapsner_de-browser-action"],"dirtyAreaCache":["nav-bar","PersonalToolbar","TabsToolbar"],"currentVersion":17,"newElementCount":2} +browser.urlbar.placeholderName Google +browser.urlbar.quicksuggest.migrationVersion 2 +browser.urlbar.quicksuggest.scenario offline +browser.urlbar.shortcuts.bookmarks false +browser.urlbar.shortcuts.history false +browser.urlbar.shortcuts.tabs false +browser.urlbar.suggest.bookmark false +browser.urlbar.suggest.history false +browser.urlbar.suggest.openpage false +browser.urlbar.suggest.quicksuggest.nonsponsored false +browser.urlbar.suggest.quicksuggest.sponsored false +browser.urlbar.suggest.topsites false +datareporting.healthreport.uploadEnabled false +datareporting.policy.dataSubmissionPolicyAcceptedVersion 2 +datareporting.policy.dataSubmissionPolicyNotifiedTime 1650902242109 +devtools.debugger.pending-selected-location {"sourceId":"source-https://meet.google.com/_/scs/mss-static/_/js/k=boq-rtc.MeetingsUi.en.QgzuVNXcgx0.2020.O/ck=boq-rtc.MeetingsUi.S5lTOpzhCsg.L.F4.O/am=IgDAAAEAeg0kAEgZNgEgMABBAAAgKEAH5OUHAACAGDAACDgDwIAkgAAAAEACMgMAFGAAAF4CgIyCxACA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,calldesktoppageview/esmo=1/ed=1/wt=2/rs=AL5CKSHQTHw1r9a5csKzOGIegMrkXmwhOA/ee=cEt90b:ws9Tlc;rXjWyb:VWuaCc;uY49fb:COQbmf;oGtAuc:sOXFj;SVOR2e:RqS4qe;yxTchf:KUM7Z;qddgKe:xQtZb;dIoSBb:SpsfSb;BjCzpe:Yvr34d;BVZWad:llTWPd;kqpyR:oFF0ab;gAClPb:ghdkwd;ZaFVgc:wOWhl;b3iZcb:celsfc;giw6qf:EcLnpd;iKsOgb:cWjcJb;lbbWme:daIyVc;h315Eb:VkDogc;eBAeSb:zbML3c;CG6AQc:krpgkb;hoquJe:EjBUIf;MJ6mxb:ubdYZ;BRmVff:HS5Yaf;PRDQhf:ux3mLc;zWcMwf:K9Wjeb;rUAape:NePQb;w1T0Td:xpWMVc;l6twR:Fvyyad;SIjcAd:jrKD8b;jtBjNe:dWHZee;lJ7cgb:Erp0q;NSEoX:lazG7b;X6zUkd:u0z0vd;cFl0Ie:PWJipc;rI0Pr:Cqvedd;x2i2de:zeWni;BVdD3:kUrwYe;brLlgb:SCXWAb;XLRw3e:OcCk8d;reHXFb:qZ6i3c;brg6Gd:TlvL3b;YBihAb:oeIFub;esl3oe:Qz2vJf;dYFttf:ZRxAzc;zxnPse:GkRiKb;EVNhjf:pw70Gc;cYTQve:bmEjgc;RYWUUc:anescc;vKM7Jb:cWjcJb;io8t5d:yDVVkb;j7137d:KG2eXe;Oj465e:KG2eXe;ul9GGd:JrBFQb;sP4Vbe:VwDzFe;kMFpHd:blwjVc;NPKaK:SdcwHb;pXdRYb:MdUzUe;nAFL3:s39S4;iFQyKf:QIhFr;SNUn3:ZwDk9d;LBgRLc:SdcwHb;wR5FRb:O1Gjze/m=n73qwf,ws9Tlc,e5qFLc,GkRiKb,IZT63,UUJqVe,O1Gjze,xUdipf,blwjVc,fKUV3e,aurFic,COQbmf,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,XU5LFb,m9oV,hl,rrm,jKHFJb,WO9ee,T6U9J,lHoXXe,SFhYHb,rsr,oFF0ab,sVRBvb,AePfdf,RqS4qe,t8N1l,k2r0oe,hIrTA,nUMwj,FMq9Lb,g1cBhf,O6y8ed,PrPYRd,MpJwZc,NwH0H,OmgaI,lazG7b,Mpq4Ee,g9HNd,MsyKad,ma,tQz2Ve,Yvr34d,XVMNvd,L1AAkb,KUM7Z,VWuaCc,Fl2dbf,GcAaod,vaToBb,rn9YO,Y0bgVb,s39S4,lwddkf,gychg,w9hDv,RMhBfe,tgTcU,FJm4Gb,lAg79c,TH1Apc,SdcwHb,aW3pY,P1S3zf,DM8swd,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,Ivl8bd,kbLDWb,I6YDgd,N5Lqpc,fgj8Rb,xQtZb,PQaYAf,y4Nztd,gJzDyc,JNoxi,MI6k7c,kjKdXe,texUgd,xGC4Gb,BVgquf,llTWPd,lPKSwe,EcLnpd,QIhFr,lfpdyf,FYCkde,hKSk3e,FSOnAf,wfcdnd,cilABe,qexExd,DNsE7e,jdrlZe,sIckOb,swpmp,yllLZc,gtEOic,CvtcN,sszRX,wiZ2v,QQnX0,yDVVkb,oUdseb,sPwFo,CJeEuc,tZtmyd,Tnlgmf,dWHZee,LTMqbe,uRj5Ac,Z7OaKe,DPQwOe,DDvSYd,NNJERe,hc6Ubd,IVuTze,yF5Ngd,ggZMAe,Lamzc,KG2eXe,SpsfSb,cWjcJb,zthRrb,MdUzUe,NHietc,LgZW9b,Y87did,fPeTAb,VwDzFe,zbU9W,alwr6,Ebsiqd,ixOrqc,dlck6b,kmkrAf,n5Xbsc,zbML3c,A7fCU,Uas9Hd,a9EW5e,JGjVRe,hIO81e,pjICDe","line":1959,"column":120,"url":"https://meet.google.com/_/scs/mss-static/_/js/k=boq-rtc.MeetingsUi.en.QgzuVNXcgx0.2020.O/ck=boq-rtc.MeetingsUi.S5lTOpzhCsg.L.F4.O/am=IgDAAAEAeg0kAEgZNgEgMABBAAAgKEAH5OUHAACAGDAACDgDwIAkgAAAAEACMgMAFGAAAF4CgIyCxACA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,calldesktoppageview/esmo=1/ed=1/wt=2/rs=AL5CKSHQTHw1r9a5csKzOGIegMrkXmwhOA/ee=cEt90b:ws9Tlc;rXjWyb:VWuaCc;uY49fb:COQbmf;oGtAuc:sOXFj;SVOR2e:RqS4qe;yxTchf:KUM7Z;qddgKe:xQtZb;dIoSBb:SpsfSb;BjCzpe:Yvr34d;BVZWad:llTWPd;kqpyR:oFF0ab;gAClPb:ghdkwd;ZaFVgc:wOWhl;b3iZcb:celsfc;giw6qf:EcLnpd;iKsOgb:cWjcJb;lbbWme:daIyVc;h315Eb:VkDogc;eBAeSb:zbML3c;CG6AQc:krpgkb;hoquJe:EjBUIf;MJ6mxb:ubdYZ;BRmVff:HS5Yaf;PRDQhf:ux3mLc;zWcMwf:K9Wjeb;rUAape:NePQb;w1T0Td:xpWMVc;l6twR:Fvyyad;SIjcAd:jrKD8b;jtBjNe:dWHZee;lJ7cgb:Erp0q;NSEoX:lazG7b;X6zUkd:u0z0vd;cFl0Ie:PWJipc;rI0Pr:Cqvedd;x2i2de:zeWni;BVdD3:kUrwYe;brLlgb:SCXWAb;XLRw3e:OcCk8d;reHXFb:qZ6i3c;brg6Gd:TlvL3b;YBihAb:oeIFub;esl3oe:Qz2vJf;dYFttf:ZRxAzc;zxnPse:GkRiKb;EVNhjf:pw70Gc;cYTQve:bmEjgc;RYWUUc:anescc;vKM7Jb:cWjcJb;io8t5d:yDVVkb;j7137d:KG2eXe;Oj465e:KG2eXe;ul9GGd:JrBFQb;sP4Vbe:VwDzFe;kMFpHd:blwjVc;NPKaK:SdcwHb;pXdRYb:MdUzUe;nAFL3:s39S4;iFQyKf:QIhFr;SNUn3:ZwDk9d;LBgRLc:SdcwHb;wR5FRb:O1Gjze/m=n73qwf,ws9Tlc,e5qFLc,GkRiKb,IZT63,UUJqVe,O1Gjze,xUdipf,blwjVc,fKUV3e,aurFic,COQbmf,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,XU5LFb,m9oV,hl,rrm,jKHFJb,WO9ee,T6U9J,lHoXXe,SFhYHb,rsr,oFF0ab,sVRBvb,AePfdf,RqS4qe,t8N1l,k2r0oe,hIrTA,nUMwj,FMq9Lb,g1cBhf,O6y8ed,PrPYRd,MpJwZc,NwH0H,OmgaI,lazG7b,Mpq4Ee,g9HNd,MsyKad,ma,tQz2Ve,Yvr34d,XVMNvd,L1AAkb,KUM7Z,VWuaCc,Fl2dbf,GcAaod,vaToBb,rn9YO,Y0bgVb,s39S4,lwddkf,gychg,w9hDv,RMhBfe,tgTcU,FJm4Gb,lAg79c,TH1Apc,SdcwHb,aW3pY,P1S3zf,DM8swd,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,Ivl8bd,kbLDWb,I6YDgd,N5Lqpc,fgj8Rb,xQtZb,PQaYAf,y4Nztd,gJzDyc,JNoxi,MI6k7c,kjKdXe,texUgd,xGC4Gb,BVgquf,llTWPd,lPKSwe,EcLnpd,QIhFr,lfpdyf,FYCkde,hKSk3e,FSOnAf,wfcdnd,cilABe,qexExd,DNsE7e,jdrlZe,sIckOb,swpmp,yllLZc,gtEOic,CvtcN,sszRX,wiZ2v,QQnX0,yDVVkb,oUdseb,sPwFo,CJeEuc,tZtmyd,Tnlgmf,dWHZee,LTMqbe,uRj5Ac,Z7OaKe,DPQwOe,DDvSYd,NNJERe,hc6Ubd,IVuTze,yF5Ngd,ggZMAe,Lamzc,KG2eXe,SpsfSb,cWjcJb,zthRrb,MdUzUe,NHietc,LgZW9b,Y87did,fPeTAb,VwDzFe,zbU9W,alwr6,Ebsiqd,ixOrqc,dlck6b,kmkrAf,n5Xbsc,zbML3c,A7fCU,Uas9Hd,a9EW5e,JGjVRe,hIO81e,pjICDe"} +devtools.debugger.prefs-schema-version 11 +devtools.everOpened true +devtools.netmonitor.columnsData [{"name":"status","minWidth":30,"width":6.11},{"name":"method","minWidth":30,"width":6.11},{"name":"domain","minWidth":30,"width":15.12},{"name":"file","minWidth":30,"width":30.57},{"name":"url","minWidth":30,"width":25},{"name":"initiator","minWidth":30,"width":12.22},{"name":"type","minWidth":30,"width":6.11},{"name":"transferred","minWidth":30,"width":12.22},{"name":"contentSize","minWidth":30,"width":3.22},{"name":"waterfall","minWidth":150,"width":8.33}] +devtools.netmonitor.msg.visibleColumns ["data","time"] +devtools.theme.show-auto-theme-info false +devtools.toolbox.footer.height 461 +devtools.toolbox.selectedTool webconsole +devtools.toolbox.splitconsoleEnabled true +devtools.toolbox.splitconsoleHeight 375 +devtools.toolsidebar-height.inspector 350 +devtools.toolsidebar-width.inspector 700 +devtools.toolsidebar-width.inspector.splitsidebar 350 +distribution.iniFile.exists.appversion 99.0.1 +distribution.iniFile.exists.value false +doh-rollout.balrog-migration-done true +doh-rollout.disable-heuristics true +doh-rollout.doneFirstRun true +doh-rollout.doorhanger-decision UIOk +doh-rollout.home-region US +doh-rollout.uri https://mozilla.cloudflare-dns.com/dns-query +dom.forms.autocomplete.formautofill true +dom.push.userAgentID eee254f257bf427ab0efd45620c2a48a +dom.security.https_only_mode true +dom.security.https_only_mode_ever_enabled true +extensions.activeThemeID firefox-compact-dark@mozilla.org +extensions.blocklist.pingCountVersion 0 +extensions.databaseSchema 35 +extensions.formautofill.addresses.enabled false +extensions.formautofill.creditCards.enabled false +extensions.getAddons.cache.lastUpdate 1651249169 +extensions.getAddons.databaseSchema 6 +extensions.lastAppBuildId 20220411174855 +extensions.lastAppVersion 99.0.1 +extensions.lastPlatformVersion 99.0.1 +extensions.pendingOperations false +extensions.pictureinpicture.enable_picture_in_picture_overrides true +extensions.pocket.enabled false +extensions.systemAddonSet {"schema":1,"addons":{}} +extensions.ui.dictionary.hidden true +extensions.ui.lastCategory addons://list/extension +extensions.ui.locale.hidden true +extensions.ui.sitepermission.hidden true +extensions.webcompat.enable_shims true +extensions.webcompat.perform_injections true +extensions.webcompat.perform_ua_overrides true +extensions.webextensions.ExtensionStorageIDB.migrated.CanvasBlocker@kkapsner.de true +extensions.webextensions.ExtensionStorageIDB.migrated.CookieAutoDelete@kennydo.com true +extensions.webextensions.ExtensionStorageIDB.migrated.jid1-BoFifL9Vbdl2zQ@jetpack true +extensions.webextensions.ExtensionStorageIDB.migrated.screenshots@mozilla.org true +extensions.webextensions.ExtensionStorageIDB.migrated.uBlock0@raymondhill.net true +extensions.webextensions.ExtensionStorageIDB.migrated.{019b606a-6f61-4d01-af2a-cea528f606da} true +extensions.webextensions.ExtensionStorageIDB.migrated.{74145f27-f039-47ce-a470-a662b129930a} true +extensions.webextensions.ExtensionStorageIDB.migrated.{c607c8df-14a7-4f28-894f-29e8722976af} true +extensions.webextensions.uuids {"doh-rollout@mozilla.org":"697982b2-2d7e-469f-88b3-d737abb91494","formautofill@mozilla.org":"ee90b89c-d5e1-4844-879d-5e272ca8b3b8","pictureinpicture@mozilla.org":"f48e89ba-4dda-442b-a826-1a279f933e83","screenshots@mozilla.org":"ea59b9b6-7035-4aeb-9c84-aaf3e6b53ecf","webcompat-reporter@mozilla.org":"120d9b52-8c85-45f6-b656-d327ac7895ba","webcompat@mozilla.org":"8d0110be-75f1-428c-8361-8dffd5bb7a30","default-theme@mozilla.org":"07e13289-2884-4aef-b07e-049816cbbaff","addons-search-detection@mozilla.com":"bd0f4204-c56a-4c55-853f-5c5e5022b619","google@search.mozilla.org":"f7f3a248-e2b2-4e8b-bba7-891d274e2a01","amazondotcom@search.mozilla.org":"4ea915db-0693-4fb5-b43f-786329b8e8b6","wikipedia@search.mozilla.org":"2b9f44a1-f0b7-4944-acd4-1d0ef3507e34","bing@search.mozilla.org":"e48f6a9d-54d8-4417-af3c-25cc70297278","ddg@search.mozilla.org":"bfe5b2ef-a9f7-4a61-82be-f293de92d3d5","ebay@search.mozilla.org":"3797d472-59a9-42a9-bb44-56a5c0d89d97","firefox-compact-dark@mozilla.org":"2f3a2973-437b-4a20-8ddc-cbadf8a04831","{c0f619ac-25fb-43b6-954d-823fef95c834}":"5da68bb4-db07-4dcf-b6df-4922ec983bb8","uBlock0@raymondhill.net":"3a5f7e3a-e5b6-4a71-a929-8327a87aa195","jid1-BoFifL9Vbdl2zQ@jetpack":"e909903e-19ab-4455-917c-d52fe9663dc8","CookieAutoDelete@kennydo.com":"a123e5cf-29f5-4804-a088-28e5d955067f","{74145f27-f039-47ce-a470-a662b129930a}":"e73f13bc-96a0-4b69-9278-c87dfc816af4","{019b606a-6f61-4d01-af2a-cea528f606da}":"946706b4-c198-4eb2-8f90-f5f54b989097","{c607c8df-14a7-4f28-894f-29e8722976af}":"142a2599-9b5c-42f2-a100-b5157759b00f","CanvasBlocker-Beta@kkapsner.de":"5aa79ac6-cd58-4de2-9c9d-96c6b018c4c0","CanvasBlocker@kkapsner.de":"1fdb1e14-3ae7-4f03-91f1-25797cfdede4","plugin@okta.com":"c8553349-3a1d-4906-a3fc-cc48c30771d9"} +fission.experiment.max-origins.last-disqualified 1651270264 +fission.experiment.max-origins.last-qualified 1651249644 +fission.experiment.max-origins.qualified false +gecko.handlerService.defaultHandlersVersion 1 +geo.enabled false +identity.fxaccounts.enabled false +idle.lastDailyNotification 1651183323 +layout.spellcheckDefault 0 +media.autoplay.default 5 +media.gmp-gmpopenh264.abi x86_64-gcc3 +media.gmp-gmpopenh264.lastUpdate 1650902782 +media.gmp-gmpopenh264.version 1.8.1.1 +media.gmp-manager.buildID 20220411174855 +media.gmp-manager.lastCheck 1651035544 +media.gmp-widevinecdm.abi x86_64-gcc3 +media.gmp-widevinecdm.lastUpdate 1650902783 +media.gmp-widevinecdm.version 4.10.2391.0 +media.gmp.storage.version.observed 1 +media.videocontrols.picture-in-picture.video-toggle.has-used true +network.cookie.cookieBehavior 5 +network.cookie.lifetimePolicy 2 +network.dns.disablePrefetch true +network.http.referer.disallowCrossSiteRelaxingDefault true +network.http.sendRefererHeader 0 +network.http.speculative-parallel-limit 0 +network.predictor.enabled false +network.prefetch-next false +network.proxy.socks_remote_dns true +network.trr.custom_uri 127.0.0.1 +network.trr.mode 2 +network.trr.uri 127.0.0.1 +pdfjs.enableScripting false +pdfjs.enabledCache.state true +pdfjs.migrationVersion 2 +permissions.default.desktop-notification 2 +permissions.default.geo 2 +places.database.lastMaintenance 1650902941 +privacy.annotate_channels.strict_list.enabled true +privacy.donottrackheader.enabled true +privacy.firstparty.isolate true +privacy.partition.network_state.ocsp_cache true +privacy.purge_trackers.date_in_cookie_database 0 +privacy.purge_trackers.last_purge 1651183323410 +privacy.resistFingerprinting true +privacy.sanitize.pending [{"id":"newtab-container","itemsToClear":[],"options":{}}] +privacy.trackingprotection.enabled true +privacy.trackingprotection.socialtracking.enabled true +privacy.userContext.enabled true +privacy.userContext.extension CanvasBlocker@kkapsner.de +privacy.userContext.ui.enabled true +security.enterprise_roots.auto-enabled true +security.enterprise_roots.enabled true +security.remote_settings.crlite_filters.checked 1651266212 +security.remote_settings.intermediates.checked 1651244745 +security.sandbox.content.tempDirSuffix df7cba1a-d39d-47ea-b813-d27cee705e33 +security.ssl.require_safe_negotiation true +security.ssl3.deprecated.rsa_des_ede3_sha false +services.blocklist.addons-mlbf.checked 1651171370 +services.blocklist.gfx.checked 1651076249 +services.settings.clock_skew_seconds 0 +services.settings.last_etag "1651265838569" +services.settings.last_update_seconds 1651266212 +services.settings.main.anti-tracking-url-decoration.last_check 1651076249 +services.settings.main.cfr.last_check 1651076249 +services.settings.main.devtools-compatibility-browsers.last_check 1651179479 +services.settings.main.doh-config.last_check 1651076249 +services.settings.main.doh-providers.last_check 1651076249 +services.settings.main.fxmonitor-breaches.last_check 1651076249 +services.settings.main.hijack-blocklists.last_check 1651076249 +services.settings.main.language-dictionaries.last_check 1651076249 +services.settings.main.message-groups.last_check 1651076249 +services.settings.main.nimbus-desktop-experiments.last_check 1651167455 +services.settings.main.normandy-recipes-capabilities.last_check 1651104326 +services.settings.main.partitioning-exempt-urls.last_check 1651076249 +services.settings.main.password-recipes.last_check 1651076249 +services.settings.main.password-rules.last_check 1651076249 +services.settings.main.personality-provider-models.last_check 1651076249 +services.settings.main.personality-provider-recipe.last_check 1651076249 +services.settings.main.pioneer-study-addons-v1.last_check 1651076249 +services.settings.main.public-suffix-list.last_check 1651076249 +services.settings.main.query-stripping.last_check 1651076249 +services.settings.main.quicksuggest.last_check 1651076249 +services.settings.main.search-config.last_check 1651076249 +services.settings.main.search-default-override-allowlist.last_check 1651076249 +services.settings.main.search-telemetry-v2.last_check 1651076249 +services.settings.main.sites-classification.last_check 1651076249 +services.settings.main.tippytop.last_check 1651076249 +services.settings.main.top-sites.last_check 1651076249 +services.settings.main.url-classifier-skip-urls.last_check 1651076249 +services.settings.main.websites-with-shared-credential-backends.last_check 1651076249 +services.settings.main.whats-new-panel.last_check 1651076249 +services.settings.security.onecrl.checked 1651076249 +services.sync.clients.lastSync 0 +services.sync.declinedEngines +services.sync.engine.addresses.available true +services.sync.globalScore 0 +services.sync.nextSync 0 +services.sync.tabs.lastSync 0 +signon.autofillForms false +signon.generation.enabled false +signon.rememberSignons false +storage.vacuum.last.index 1 +storage.vacuum.last.places.sqlite 1650902941 +toolkit.startup.last_success 1651070971 +toolkit.telemetry.cachedClientID c0ffeec0-ffee-c0ff-eec0-ffeec0ffeec0 +toolkit.telemetry.pioneer-new-studies-available true +toolkit.telemetry.previousBuildID 20220411174855 +toolkit.telemetry.reportingpolicy.firstRun false +toolkit.telemetry.server +toolkit.telemetry.unified false +trailhead.firstrun.didSeeAboutWelcome true +webgl.disabled true diff --git a/firefox.user.js b/firefox.user.js index fc69785..688be49 100644 --- a/firefox.user.js +++ b/firefox.user.js @@ -1,87 +1,98 @@ // https://github.com/drduh/config/blob/master/firefox.user.js // https://github.com/ghacksuserjs/ghacks-user.js // https://github.com/pyllyukko/user.js -//user_pref("browser.cache.disk.capacity", 0); // disable disk cache -//user_pref("browser.cache.disk.enable", false); // disable disk cache -//user_pref("browser.newtab.url", "about:blank"); // blank new tab page -//user_pref("browser.newtabpage.enabled", false); // blank new tab page -//user_pref("browser.privatebrowsing.autostart", true); // private browsing mode only; may break sites -//user_pref("browser.safebrowsing.malware.enabled", false); // disable safebrowsing -//user_pref("browser.safebrowsing.phishing.enabled", false); // disable safebrowsing -//user_pref("browser.search.widget.inNavBar", true); // move search bar to toolbar -//user_pref("browser.startup.homepage", "file:///home/web/index.html"); // custom start-up page -//user_pref("browser.startup.page", 1); // 0: blank; 1: home; 2: last visited; 3: resume last -//user_pref("browser.uidensity", 1); // reduce UI empty space -//user_pref("browser.urlbar.suggest.bookmark", false); // do not suggest bookmarks -//user_pref("browser.urlbar.suggest.history", false); // do not suggest history -//user_pref("dom.enable_performance", false); // disable DOM timing; may break sites -//user_pref("dom.serviceWorkers.enabled", false); // disable service workers; may break sites -//user_pref("dom.storage.enabled", false); // disable DOM storage; will break sites -//user_pref("dom.storageManager.enabled", false); // disable storage; may break sites -//user_pref("full-screen-api.enabled", false); // disable fullscreen -//user_pref("gfx.xrender.enabled", true); // may improve performance -//user_pref("javascript.enabled", false); // disable javascript; will break sites -//user_pref("javascript.options.baselinejit", false); // disable JS JIT; may break sites -//user_pref("javascript.options.ion", false); // disable JS Ion; may break sites -//user_pref("layers.acceleration.disabled", true); // disable hardware acceleration; performance hit -//user_pref("layers.acceleration.force-enabled", true); // may improve performance on *nix -//user_pref("layout.css.devPixelsPerPx", "1.5"); // increase UI size -//user_pref("media.media-capabilities.enabled", false); // disable media capabilities; may break sites -//user_pref("network.cookie.cookieBehavior", 1); // block third-party cookies -//user_pref("network.cookie.lifetimePolicy", 2); // expire cookies on browser close -//user_pref("network.dns.blockDotOnion", true); // reject .onion domains -//user_pref("network.dns.disableIPv6", true); // disable IPv6 -//user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // limit Cross Origin path; may break sites -//user_pref("network.http.referer.defaultPolicy", 0); // 0: no-ref; 1: same-origin; 2: strict-origin; 3: no-downgrade; may break sites -//user_pref("network.http.referer.defaultPolicy.pbmode", 0); -//user_pref("network.http.referer.trimmingPolicy", 2); // trim Refer to scheme, host, port only; may break sites -//user_pref("network.http.sendRefererHeader", 0); // send Referer; 0: never; 1: clicks; 2: links and images; may break sites -//user_pref("network.proxy.http", "127.0.0.1"); // proxy on localhost -//user_pref("network.proxy.http_port", 8118); // privoxy on port 8118 -//user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1"); -//user_pref("network.proxy.share_proxy_settings", true); -//user_pref("network.proxy.socks", "127.0.0.1"); -//user_pref("network.proxy.socks_port", 5555); // ssh tunnel on port 5555 -//user_pref("network.proxy.socks_remote_dns", true); -//user_pref("network.proxy.ssl", "127.0.0.1"); -//user_pref("network.proxy.ssl_port", 8118); // privoxy on port 8118 -//user_pref("network.proxy.type", 1); // 1: manual; 2: PAC; 4: WPAD -//user_pref("privacy.clearOnShutdown.cookies", true); -//user_pref("privacy.clearOnShutdown.history", true); -//user_pref("privacy.cpd.cookies", true); -//user_pref("privacy.cpd.history", true); -//user_pref("privacy.donottrackheader.enabled", true); // send DNT HTTP header -//user_pref("privacy.firstparty.isolate", true); // isolate cookies to 1P; may break sites -//user_pref("privacy.resistFingerprinting", true); // enable anti-fingerprinting features; may break sites -//user_pref("privacy.resistFingerprinting.letterboxing", true); // letterbox window -//user_pref("privacy.sanitize.sanitizeOnShutdown", true); // clear history on exit -//user_pref("privacy.trackingprotection.pbmode.enabled", false); -//user_pref("privacy.window.maxInnerHeight", 720); -//user_pref("privacy.window.maxInnerWidth", 1280); -//user_pref("security.OCSP.enabled", 1); // enable OCSP fetching for all certs -//user_pref("security.OCSP.require", true); // force check certificate revocation -//user_pref("security.dialog_enable_delay", 1000); // ms delay on dialogs -//user_pref("security.ssl.require_safe_negotiation", true); // may break sites -//user_pref("security.ssl3.rsa_aes_128_sha", false); // disable cipher; may break sites -//user_pref("security.ssl3.rsa_aes_256_sha", false); // disable cipher; may break sites -//user_pref("security.tls.version.min", 3); // minimum TLS 1.2; may break sites -//user_pref("security.webauth.u2f", true); // turn on U2F -//user_pref("svg.disabled", true); // disable SVG rendering; may break sites +// user_pref("browser.cache.disk.capacity", 0); // disable disk cache +// user_pref("browser.cache.disk.enable", false); // disable disk cache +// user_pref("browser.newtab.url", "about:blank"); // blank new tab page +// user_pref("browser.newtabpage.enabled", false); // blank new tab page +// user_pref("browser.privatebrowsing.autostart", true); // private browsing +// mode only; may break sites user_pref("browser.safebrowsing.malware.enabled", +// false); // disable safebrowsing +// user_pref("browser.safebrowsing.phishing.enabled", false); // disable +// safebrowsing user_pref("browser.search.widget.inNavBar", true); // move +// search bar to toolbar user_pref("browser.startup.homepage", +// "file:///home/web/index.html"); // custom start-up page +// user_pref("browser.startup.page", 1); // 0: blank; 1: home; 2: last visited; +// 3: resume last user_pref("browser.uidensity", 1); // reduce UI empty space +// user_pref("browser.urlbar.suggest.bookmark", false); // do not suggest +// bookmarks user_pref("browser.urlbar.suggest.history", false); // do not +// suggest history user_pref("dom.enable_performance", false); // disable DOM +// timing; may break sites user_pref("dom.serviceWorkers.enabled", false); // +// disable service workers; may break sites user_pref("dom.storage.enabled", +// false); // disable DOM storage; will break sites +// user_pref("dom.storageManager.enabled", false); // disable storage; may +// break sites user_pref("full-screen-api.enabled", false); // disable +// fullscreen user_pref("gfx.xrender.enabled", true); // may improve +// performance user_pref("javascript.enabled", false); // disable javascript; +// will break sites user_pref("javascript.options.baselinejit", false); // +// disable JS JIT; may break sites user_pref("javascript.options.ion", false); +// // disable JS Ion; may break sites user_pref("layers.acceleration.disabled", +// true); // disable hardware acceleration; performance hit +// user_pref("layers.acceleration.force-enabled", true); // may improve +// performance on *nix user_pref("layout.css.devPixelsPerPx", "1.5"); // +// increase UI size user_pref("media.media-capabilities.enabled", false); // +// disable media capabilities; may break sites +// user_pref("network.cookie.cookieBehavior", 1); // block third-party cookies +// user_pref("network.cookie.lifetimePolicy", 2); // expire cookies on browser +// close user_pref("network.dns.blockDotOnion", true); // reject .onion domains +// user_pref("network.dns.disableIPv6", true); // disable IPv6 +// user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // limit Cross +// Origin path; may break sites user_pref("network.http.referer.defaultPolicy", +// 0); // 0: no-ref; 1: same-origin; 2: strict-origin; 3: no-downgrade; may +// break sites user_pref("network.http.referer.defaultPolicy.pbmode", 0); +// user_pref("network.http.referer.trimmingPolicy", 2); // trim Refer to +// scheme, host, port only; may break sites +// user_pref("network.http.sendRefererHeader", 0); // send Referer; 0: never; +// 1: clicks; 2: links and images; may break sites +// user_pref("network.proxy.http", "127.0.0.1"); // proxy on localhost +// user_pref("network.proxy.http_port", 8118); // privoxy on port 8118 +// user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1"); +// user_pref("network.proxy.share_proxy_settings", true); +// user_pref("network.proxy.socks", "127.0.0.1"); +// user_pref("network.proxy.socks_port", 5555); // ssh tunnel on port 5555 +// user_pref("network.proxy.socks_remote_dns", true); +// user_pref("network.proxy.ssl", "127.0.0.1"); +// user_pref("network.proxy.ssl_port", 8118); // privoxy on port 8118 +// user_pref("network.proxy.type", 1); // 1: manual; 2: PAC; 4: WPAD +// user_pref("privacy.clearOnShutdown.cookies", true); +// user_pref("privacy.clearOnShutdown.history", true); +// user_pref("privacy.cpd.cookies", true); +// user_pref("privacy.cpd.history", true); +// user_pref("privacy.donottrackheader.enabled", true); // send DNT HTTP header +// user_pref("privacy.firstparty.isolate", true); // isolate cookies to 1P; may +// break sites user_pref("privacy.resistFingerprinting", true); // enable +// anti-fingerprinting features; may break sites +// user_pref("privacy.resistFingerprinting.letterboxing", true); // letterbox +// window user_pref("privacy.sanitize.sanitizeOnShutdown", true); // clear +// history on exit user_pref("privacy.trackingprotection.pbmode.enabled", +// false); user_pref("privacy.window.maxInnerHeight", 720); +// user_pref("privacy.window.maxInnerWidth", 1280); +// user_pref("security.OCSP.enabled", 1); // enable OCSP fetching for all certs +// user_pref("security.OCSP.require", true); // force check certificate +// revocation user_pref("security.dialog_enable_delay", 1000); // ms delay on +// dialogs user_pref("security.ssl.require_safe_negotiation", true); // may +// break sites user_pref("security.ssl3.rsa_aes_128_sha", false); // disable +// cipher; may break sites user_pref("security.ssl3.rsa_aes_256_sha", false); // +// disable cipher; may break sites user_pref("security.tls.version.min", 3); // +// minimum TLS 1.2; may break sites user_pref("security.webauth.u2f", true); // +// turn on U2F user_pref("svg.disabled", true); // disable SVG rendering; may +// break sites user_pref("accessibility.browsewithcaret", true); -user_pref("accessibility.force_disabled", 1); // disable accessibility services -user_pref("accessibility.typeaheadfind", true); // enable page search by typing +user_pref("accessibility.force_disabled", 1); // disable accessibility services +user_pref("accessibility.typeaheadfind", true); // enable page search by typing user_pref("accessibility.typeaheadfind.flashBar", 0); user_pref("app.normandy.api_url", ""); user_pref("app.normandy.enabled", false); user_pref("app.normandy.first_run", false); -user_pref("app.shield.optoutstudies.enabled", false); // disable studies -user_pref("app.update.auto", false); // disable auto update check +user_pref("app.shield.optoutstudies.enabled", false); // disable studies +user_pref("app.update.auto", false); // disable auto update check user_pref("app.update.service.enabled", false); -user_pref("app.update.silent", false); // notify on all updates states -user_pref("app.update.staging.enabled", false); // do not stage background updates +user_pref("app.update.silent", false); // notify on all updates states +user_pref("app.update.staging.enabled", + false); // do not stage background updates user_pref("app.update.url", ""); user_pref("beacon.enabled", false); // disable additional analytics -user_pref("breakpad.reportURL", ""); // disable crash reports +user_pref("breakpad.reportURL", ""); // disable crash reports user_pref("browser.aboutConfig.showWarning", false); user_pref("browser.aboutHomeSnippets.updateUrl", ""); user_pref("browser.bookmarks.max_backups", 0); @@ -89,53 +100,67 @@ user_pref("browser.bookmarks.restore_default_bookmarks", false); user_pref("browser.cache.disk.smart_size.enabled", false); user_pref("browser.cache.disk.smart_size.first_run", false); user_pref("browser.cache.disk.smart_size.use_old_max", false); -user_pref("browser.cache.disk_cache_ssl", false); // disable caching SSL pages -user_pref("browser.cache.offline.enable", false); // disable offline cache +user_pref("browser.cache.disk_cache_ssl", false); // disable caching SSL pages +user_pref("browser.cache.offline.enable", false); // disable offline cache user_pref("browser.cache.offline.insecure.enable", false); -user_pref("browser.casting.enabled", false); // disable SSDP -user_pref("browser.chrome.errorReporter.enabled", false); // disable browser error reporter +user_pref("browser.casting.enabled", false); // disable SSDP +user_pref("browser.chrome.errorReporter.enabled", + false); // disable browser error reporter user_pref("browser.chrome.errorReporter.submitUrl", ""); user_pref("browser.contentHandlers.types.0.uri", ""); user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); user_pref("browser.crashReports.unsubmittedCheck.enabled", false); -user_pref("browser.ctrlTab.recentlyUsedOrder", false); // control-tab cycles tabs +user_pref("browser.ctrlTab.recentlyUsedOrder", + false); // control-tab cycles tabs user_pref("browser.dictionaries.download.url", ""); user_pref("browser.disableResetPrompt", true); -user_pref("browser.discovery.enabled", false); // disable extension recommendations -user_pref("browser.display.use_document_fonts", 0); // disable web pages picking fonts +user_pref("browser.discovery.enabled", + false); // disable extension recommendations +user_pref("browser.display.use_document_fonts", + 0); // disable web pages picking fonts user_pref("browser.download.autohideButton", false); -user_pref("browser.download.forbid_open_with", true); // disable Open With dialog +user_pref("browser.download.forbid_open_with", + true); // disable Open With dialog user_pref("browser.download.hide_plugins_without_extensions", false); -user_pref("browser.download.manager.addToRecentDocs", false); // disable adding recent documents -user_pref("browser.download.manager.retention", 0); // disable download history +user_pref("browser.download.manager.addToRecentDocs", + false); // disable adding recent documents +user_pref("browser.download.manager.retention", 0); // disable download history user_pref("browser.download.useDownloadDir", false); -user_pref("browser.fixup.alternate.enabled", false); // disable invalid name assistance +user_pref("browser.fixup.alternate.enabled", + false); // disable invalid name assistance user_pref("browser.fixup.hide_user_pass", true); -user_pref("browser.formfill.enable", false); // disable auto-completion +user_pref("browser.formfill.enable", false); // disable auto-completion user_pref("browser.geolocation.warning.infoURL", ""); user_pref("browser.helperApps.deleteTempFileOnExit", true); user_pref("browser.library.activity-stream.enabled", false); -user_pref("browser.link.open_newwindow", 3); // open new windows in tabs instead +user_pref("browser.link.open_newwindow", 3); // open new windows in tabs instead user_pref("browser.link.open_newwindow.restriction", 0); user_pref("browser.messaging-system.whatsNewPanel.enabled", false); -user_pref("browser.newtab.preload", false); // disable new tab tile preload -user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); // disable activity stream snippets -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); // disable extension recommendations -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); +user_pref("browser.newtab.preload", false); // disable new tab tile preload +user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", + ""); // disable activity stream snippets +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", + false); // disable extension recommendations +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", + false); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", + false); user_pref("browser.newtabpage.activity-stream.disableSnippets", true); user_pref("browser.newtabpage.activity-stream.discoverystream.optOut.0", true); user_pref("browser.newtabpage.activity-stream.enabled", false); user_pref("browser.newtabpage.activity-stream.feed.topsites", false); -user_pref("browser.newtabpage.activity-stream.feeds.asrouterfeed", false); // disable activity stream feed +user_pref("browser.newtabpage.activity-stream.feeds.asrouterfeed", + false); // disable activity stream feed user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false); user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // disable snippets +user_pref("browser.newtabpage.activity-stream.feeds.snippets", + false); // disable snippets user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.feeds.topsites", false); user_pref("browser.newtabpage.activity-stream.prerender", false); -user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); +user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", + false); user_pref("browser.newtabpage.activity-stream.showSearch", false); user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); @@ -144,13 +169,14 @@ user_pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", ""); user_pref("browser.newtabpage.enhanced", false); user_pref("browser.newtabpage.remote", false); user_pref("browser.newtabpage.storageVersion", 1); -user_pref("browser.offline-apps.notify", true); // notify on offline app storage -user_pref("browser.onboarding.enabled", false); // disable new profile tour +user_pref("browser.offline-apps.notify", true); // notify on offline app storage +user_pref("browser.onboarding.enabled", false); // disable new profile tour user_pref("browser.pagethumbnails.capturing_disabled", true); user_pref("browser.pagethumbnails.storage_version", 3); user_pref("browser.ping-centre.production.endpoint", ""); user_pref("browser.ping-centre.staging.endpoint", ""); -user_pref("browser.ping-centre.telemetry", false); // disable PingCentre telemetry +user_pref("browser.ping-centre.telemetry", + false); // disable PingCentre telemetry user_pref("browser.safebrowsing.appRepURL", ""); user_pref("browser.safebrowsing.downloads.enabled", false); user_pref("browser.safebrowsing.downloads.remote.enabled", false); @@ -158,7 +184,8 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); user_pref("browser.safebrowsing.provider.google.reportURL", ""); -user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // disable safebrowsing data sharing +user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", + false); // disable safebrowsing data sharing user_pref("browser.safebrowsing.provider.google4.dataSharingURL", ""); user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); @@ -166,63 +193,74 @@ user_pref("browser.safebrowsing.provider.google4.reportURL", ""); user_pref("browser.search.countryCode", "US"); user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults.url", ""); -user_pref("browser.search.geoip.url", ""); // disable geo-IP assisted search -user_pref("browser.search.hiddenOneOffs", "Bing,Amazon.com,eBay,Twitter"); // disable search providers +user_pref("browser.search.geoip.url", ""); // disable geo-IP assisted search +user_pref("browser.search.hiddenOneOffs", + "Bing,Amazon.com,eBay,Twitter"); // disable search providers user_pref("browser.search.region", "US"); user_pref("browser.search.suggest.enabled", false); user_pref("browser.search.update", false); user_pref("browser.search.widget.inNavBar", true); -user_pref("browser.selfsupport.url", ""); // disable user rating telemetry -user_pref("browser.send_pings", false); // disable ping attributes +user_pref("browser.selfsupport.url", ""); // disable user rating telemetry +user_pref("browser.send_pings", false); // disable ping attributes user_pref("browser.send_pings.require_same_host", true); -user_pref("browser.sessionhistory.max_entries", 10); // limit session history +user_pref("browser.sessionhistory.max_entries", 10); // limit session history user_pref("browser.sessionstore.interval", 30000); -user_pref("browser.sessionstore.max_tabs_undo", 0); // disable recently closed tabs +user_pref("browser.sessionstore.max_tabs_undo", + 0); // disable recently closed tabs user_pref("browser.sessionstore.max_windows_undo", 0); -user_pref("browser.sessionstore.privacy_level", 2); // disable session restore +user_pref("browser.sessionstore.privacy_level", 2); // disable session restore user_pref("browser.sessionstore.resume_from_crash", false); -user_pref("browser.shell.checkDefaultBrowser", false); // disable default check -user_pref("browser.shell.shortcutFavicons", false); // disable shortcuts favicons +user_pref("browser.shell.checkDefaultBrowser", false); // disable default check +user_pref("browser.shell.shortcutFavicons", + false); // disable shortcuts favicons user_pref("browser.ssl_override_behavior", 1); user_pref("browser.startup.homepage_override.buildID", "20100101"); -user_pref("browser.startup.homepage_override.mstone", "ignore"); // disable welcome pages +user_pref("browser.startup.homepage_override.mstone", + "ignore"); // disable welcome pages user_pref("browser.tabs.crashReporting.sendReport", false); user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); user_pref("browser.tabs.remote.autostart.2", true); -user_pref("browser.tabs.warnOnClose", false); // close without warning +user_pref("browser.tabs.warnOnClose", false); // close without warning user_pref("browser.tabs.warnOnCloseOtherTabs", false); user_pref("browser.tabs.warnOnOpen", false); -user_pref("browser.uitour.enabled", false); // disable UI tour +user_pref("browser.uitour.enabled", false); // disable UI tour user_pref("browser.uitour.url", ""); user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); user_pref("browser.urlbar.autocomplete.enabled", false); -user_pref("browser.urlbar.filter.javascript", true); // hide JS in history -user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0); // disable local search history +user_pref("browser.urlbar.filter.javascript", true); // hide JS in history +user_pref("browser.urlbar.maxHistoricalSearchSuggestions", + 0); // disable local search history user_pref("browser.urlbar.oneOffSearches", false); user_pref("browser.urlbar.placeholderName", "DuckDuckGo"); -user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // disable suggestions -user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // disable sponsored suggestions +user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", + false); // disable suggestions +user_pref("browser.urlbar.suggest.quicksuggest.sponsored", + false); // disable sponsored suggestions user_pref("browser.urlbar.searchSuggestionsChoice", false); -user_pref("browser.urlbar.speculativeConnect.enabled", false); // disable preloading auto-complete URLs +user_pref("browser.urlbar.speculativeConnect.enabled", + false); // disable preloading auto-complete URLs user_pref("browser.urlbar.suggest.openpage", false); user_pref("browser.urlbar.suggest.searches", false); -user_pref("browser.urlbar.trimURLs", false); // disable trim HTTP off of URLs -user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); // disable pre-loaded URLs +user_pref("browser.urlbar.trimURLs", false); // disable trim HTTP off of URLs +user_pref("browser.urlbar.usepreloadedtopurls.enabled", + false); // disable pre-loaded URLs user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); user_pref("browser.xul.error_pages.expert_bad_cert", true); -user_pref("camera.control.face_detection.enabled", false); // disable webcam face detection -user_pref("canvas.capturestream.enabled", false); // disable canvas capture stream -user_pref("captivedetect.canonicalURL", ""); // disable captive portal helper -user_pref("clipboard.autocopy", false); // disable automatic clipboard selection +user_pref("camera.control.face_detection.enabled", + false); // disable webcam face detection +user_pref("canvas.capturestream.enabled", + false); // disable canvas capture stream +user_pref("captivedetect.canonicalURL", ""); // disable captive portal helper +user_pref("clipboard.autocopy", false); // disable automatic clipboard selection user_pref("datareporting.healthreport.infoURL", ""); user_pref("datareporting.healthreport.service.enabled", false); user_pref("datareporting.healthreport.service.firstRun", false); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.policy.dataSubmissionEnabled", false); user_pref("device.sensors.enabled", false); // disable device sensors -user_pref("devtools.chrome.enabled", false); // disable tools in browser context -user_pref("devtools.debugger.force-local", true); // disable remote debugging +user_pref("devtools.chrome.enabled", false); // disable tools in browser context +user_pref("devtools.debugger.force-local", true); // disable remote debugging user_pref("devtools.debugger.remote-enabled", false); user_pref("devtools.devedition.promo.url", ""); user_pref("devtools.onboarding.telemetry.logged", true); @@ -230,16 +268,19 @@ user_pref("devtools.screenshot.audio.enabled", false); user_pref("devtools.theme", "dark"); user_pref("devtools.webide.autoinstallADBHelper", false); user_pref("devtools.webide.autoinstallFxdtAdapters", false); -user_pref("devtools.webide.enabled", false); // disable WebIDE +user_pref("devtools.webide.enabled", false); // disable WebIDE user_pref("devtools.webide.simulatorAddonsURL", ""); -user_pref("dom.IntersectionObserver.enabled", false); // disable Intersection Observer -user_pref("dom.allow_cut_copy", false); // disable copy-to-clipboard js functionality -user_pref("dom.battery.enabled", false); // disable battery status -user_pref("dom.caches.enabled", false); // disable service workers cache -user_pref("dom.disable_beforeunload", true); // disable page leave warning -user_pref("dom.disable_open_during_load", true); // block popups +user_pref("dom.IntersectionObserver.enabled", + false); // disable Intersection Observer +user_pref("dom.allow_cut_copy", + false); // disable copy-to-clipboard js functionality +user_pref("dom.battery.enabled", false); // disable battery status +user_pref("dom.caches.enabled", false); // disable service workers cache +user_pref("dom.disable_beforeunload", true); // disable page leave warning +user_pref("dom.disable_open_during_load", true); // block popups user_pref("dom.disable_window_move_resize", true); -user_pref("dom.disable_window_open_feature.close", true); // disable web pages from removing window features +user_pref("dom.disable_window_open_feature.close", + true); // disable web pages from removing window features user_pref("dom.disable_window_open_feature.location", true); user_pref("dom.disable_window_open_feature.menubar", true); user_pref("dom.disable_window_open_feature.minimizable", true); @@ -248,121 +289,148 @@ user_pref("dom.disable_window_open_feature.resizable", true); user_pref("dom.disable_window_open_feature.status", true); user_pref("dom.disable_window_open_feature.titlebar", true); user_pref("dom.disable_window_open_feature.toolbar", true); -user_pref("dom.enable_resource_timing", false); // disable resource timing -user_pref("dom.event.clipboardevents.enabled", false); // disable notify on clipboard events -user_pref("dom.event.contextmenu.enabled", false); // disable web page control over right-click context -user_pref("dom.event.highrestimestamp.enabled", true); // enable DOMHighResTimeStamp -user_pref("dom.flyweb.enabled", false); // disable local discovery +user_pref("dom.enable_resource_timing", false); // disable resource timing +user_pref("dom.event.clipboardevents.enabled", + false); // disable notify on clipboard events +user_pref("dom.event.contextmenu.enabled", + false); // disable web page control over right-click context +user_pref("dom.event.highrestimestamp.enabled", + true); // enable DOMHighResTimeStamp +user_pref("dom.flyweb.enabled", false); // disable local discovery user_pref("dom.forms.autocomplete.formautofill", true); user_pref("dom.forms.datetime", false); -user_pref("dom.gamepad.enabled", false); // disable USB enumeration -user_pref("dom.imagecapture.enabled", false); // disable camera image capture +user_pref("dom.gamepad.enabled", false); // disable USB enumeration +user_pref("dom.imagecapture.enabled", false); // disable camera image capture user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); user_pref("dom.ipc.plugins.reportCrashURL", false); -user_pref("dom.mozTCPSocket.enabled", false); // disable raw tcp sockets -user_pref("dom.netinfo.enabled", false); // disable network information api -user_pref("dom.network.enabled", false); // disable network information api -user_pref("dom.popup_allowed_events", "click dblclick"); // limit popup-triggering events -user_pref("dom.popup_maximum", 2); // maximum of 2 popups from a single event -user_pref("dom.push.connection.enabled", false); // disable push notifications +user_pref("dom.mozTCPSocket.enabled", false); // disable raw tcp sockets +user_pref("dom.netinfo.enabled", false); // disable network information api +user_pref("dom.network.enabled", false); // disable network information api +user_pref("dom.popup_allowed_events", + "click dblclick"); // limit popup-triggering events +user_pref("dom.popup_maximum", 2); // maximum of 2 popups from a single event +user_pref("dom.push.connection.enabled", false); // disable push notifications user_pref("dom.push.enabled", false); user_pref("dom.push.serverURL", ""); user_pref("dom.push.userAgentID", ""); -user_pref("dom.telephony.enabled", false); // disable telephony API -user_pref("dom.vibrator.enabled", false); // disable screen shake -user_pref("dom.vr.enabled", false); // disable VR devices -user_pref("dom.w3c_pointer_events.enabled", false); // disable PointerEvents -user_pref("dom.w3c_touch_events.enabled", 0); // disable touch events -user_pref("dom.webaudio.enabled", false); // disable web audio -user_pref("dom.webnotifications.enabled", false); // disable web notifications -user_pref("dom.webnotifications.serviceworker.enabled", false); // disable web notifications +user_pref("dom.telephony.enabled", false); // disable telephony API +user_pref("dom.vibrator.enabled", false); // disable screen shake +user_pref("dom.vr.enabled", false); // disable VR devices +user_pref("dom.w3c_pointer_events.enabled", false); // disable PointerEvents +user_pref("dom.w3c_touch_events.enabled", 0); // disable touch events +user_pref("dom.webaudio.enabled", false); // disable web audio +user_pref("dom.webnotifications.enabled", false); // disable web notifications +user_pref("dom.webnotifications.serviceworker.enabled", + false); // disable web notifications user_pref("experiments.activeExperiment", false); user_pref("experiments.enabled", false); user_pref("experiments.manifest.uri", ""); user_pref("experiments.supported", false); user_pref("extensions.autoDisableScopes", 15); -user_pref("extensions.blocklist.enabled", false); // disable extension blacklisting +user_pref("extensions.blocklist.enabled", + false); // disable extension blacklisting user_pref("extensions.blocklist.pingCountTotal", 4); user_pref("extensions.blocklist.pingCountVersion", 0); -user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); -user_pref("extensions.enabledScopes", 1); // lock down allowed extension directories -user_pref("extensions.formautofill.addresses.enabled", false); // disable form auto-fill +user_pref( + "extensions.blocklist.url", + "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); +user_pref("extensions.enabledScopes", + 1); // lock down allowed extension directories +user_pref("extensions.formautofill.addresses.enabled", + false); // disable form auto-fill user_pref("extensions.formautofill.available", "off"); user_pref("extensions.formautofill.creditCards.enabled", false); user_pref("extensions.formautofill.heuristics.enabled", false); -user_pref("extensions.fxmonitor.enabled", false); // disable Monitor -user_pref("extensions.getAddons.cache.enabled", false); // disable add-on metadata updates +user_pref("extensions.fxmonitor.enabled", false); // disable Monitor +user_pref("extensions.getAddons.cache.enabled", + false); // disable add-on metadata updates user_pref("extensions.getAddons.databaseSchema", 5); user_pref("extensions.getAddons.showPane", false); -user_pref("extensions.pocket.enabled", false); // disable Pocket -user_pref("extensions.screenshots.disabled", true); // disable Screenshots +user_pref("extensions.pocket.enabled", false); // disable Pocket +user_pref("extensions.screenshots.disabled", true); // disable Screenshots user_pref("extensions.screenshots.system-disabled", true); user_pref("extensions.screenshots.upload-disabled", true); user_pref("extensions.shield-recipe-client.api_url", ""); user_pref("extensions.shield-recipe-client.enabled", false); -user_pref("extensions.systemAddon.update.enabled", false); // disable system addon updates +user_pref("extensions.systemAddon.update.enabled", + false); // disable system addon updates user_pref("extensions.systemAddon.update.url", ""); user_pref("extensions.ui.dictionary.hidden", true); user_pref("extensions.ui.experiment.hidden", true); user_pref("extensions.ui.locale.hidden", true); user_pref("extensions.update.autoUpdateDefault", false); -user_pref("extensions.webcompat-reporter.enabled", false); // disable web compatibility reporter +user_pref("extensions.webcompat-reporter.enabled", + false); // disable web compatibility reporter user_pref("extensions.webservice.discoverURL", ""); -user_pref("font.blacklist.underline_offset", ""); // disable special underline handling +user_pref("font.blacklist.underline_offset", + ""); // disable special underline handling user_pref("gecko.handlerService.migrated", true); user_pref("gecko.handlerService.schemes.webcal.0.uriTemplate", ""); user_pref("general.buildID.override", "20100101"); -user_pref("general.warnOnAboutConfig", false); // disable about:config warning -user_pref("geo.enabled", false); // no geo-location -user_pref("geo.provider.ms-windows-location", false); // disable geo on windows -user_pref("geo.provider.use_corelocation", false); // disable geo on mac -user_pref("geo.provider.use_gpsd", false); // disable geo on linux +user_pref("general.warnOnAboutConfig", false); // disable about:config warning +user_pref("geo.enabled", false); // no geo-location +user_pref("geo.provider.ms-windows-location", false); // disable geo on windows +user_pref("geo.provider.use_corelocation", false); // disable geo on mac +user_pref("geo.provider.use_gpsd", false); // disable geo on linux user_pref("geo.wifi.logging.enabled", false); user_pref("geo.wifi.uri", ""); user_pref("gfx.downloadable_fonts.woff2.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); user_pref("gfx.font_rendering.opentype_svg.enabled", false); -user_pref("gfx.offscreencanvas.enabled", false); // disable offscreen canvas -user_pref("identity.fxaccounts.enabled", false); // disable Firefox accounts sync +user_pref("gfx.offscreencanvas.enabled", false); // disable offscreen canvas +user_pref("identity.fxaccounts.enabled", + false); // disable Firefox accounts sync user_pref("intl.accept_languages", "en-US, en"); user_pref("intl.charset.fallback.override", "utf-8"); user_pref("intl.locale.requested", "en-US"); -user_pref("intl.regional_prefs.use_os_locales", false); // don't use OS to determine locale +user_pref("intl.regional_prefs.use_os_locales", + false); // don't use OS to determine locale user_pref("javascript.options.asmjs", false); -user_pref("javascript.options.shared_memory", false); // disable shared memory -user_pref("javascript.options.wasm", false); // disable webassembly +user_pref("javascript.options.shared_memory", false); // disable shared memory +user_pref("javascript.options.wasm", false); // disable webassembly user_pref("javascript.use_us_english_locale", true); -user_pref("keyword.enabled", false); // do not submit invalid URLs to search engine +user_pref("keyword.enabled", + false); // do not submit invalid URLs to search engine user_pref("layout.css.font-loading-api.enabled", false); -user_pref("layout.css.visited_links_enabled", false); // disable CSS page history -user_pref("layout.spellcheckDefault", 2); // spell-check; 0: none; 1: multi-line; 2: multi- and single-line +user_pref("layout.css.visited_links_enabled", + false); // disable CSS page history +user_pref("layout.spellcheckDefault", + 2); // spell-check; 0: none; 1: multi-line; 2: multi- and single-line user_pref("lightweightThemes.persisted.footerURL", false); user_pref("lightweightThemes.persisted.headerURL", false); -user_pref("lightweightThemes.update.enabled", false); // disable themes auto updates -user_pref("loop.logDomains", false); // disable more telemetry +user_pref("lightweightThemes.update.enabled", + false); // disable themes auto updates +user_pref("loop.logDomains", false); // disable more telemetry user_pref("mathml.disabled", true); // disable Mathematical Markup Language -user_pref("media.autoplay.default", 2); // HTML5 media - 0: allow; 1: block; 2: prompt +user_pref("media.autoplay.default", + 2); // HTML5 media - 0: allow; 1: block; 2: prompt user_pref("media.autoplay.default", 5); -user_pref("media.block-autoplay-until-in-foreground", true); // disable auto-play in background tabs -user_pref("media.eme.apiVisible", false); // disable DRM profiling -user_pref("media.eme.enabled", false); // disable DRM HTML5 content -user_pref("media.getusermedia.audiocapture.enabled", false); // disable audio capture -user_pref("media.getusermedia.browser.enabled", false); // disable WebRTC getUserMedia -user_pref("media.getusermedia.screensharing.enabled", false); // disable screen-sharing -user_pref("media.gmp-gmpopenh264.autoupdate", false); // disable OpenH264 codec by Cisco +user_pref("media.block-autoplay-until-in-foreground", + true); // disable auto-play in background tabs +user_pref("media.eme.apiVisible", false); // disable DRM profiling +user_pref("media.eme.enabled", false); // disable DRM HTML5 content +user_pref("media.getusermedia.audiocapture.enabled", + false); // disable audio capture +user_pref("media.getusermedia.browser.enabled", + false); // disable WebRTC getUserMedia +user_pref("media.getusermedia.screensharing.enabled", + false); // disable screen-sharing +user_pref("media.gmp-gmpopenh264.autoupdate", + false); // disable OpenH264 codec by Cisco user_pref("media.gmp-gmpopenh264.enabled", false); user_pref("media.gmp-manager.updateEnabled", false); user_pref("media.gmp-manager.url", "data:text/plain,"); user_pref("media.gmp-manager.url.override", "data:text/plain,"); user_pref("media.gmp-provider.enabled", false); user_pref("media.gmp-widevinecdm.autoupdate", false); -user_pref("media.gmp-widevinecdm.enabled", false); // disable DRM HTML5 content +user_pref("media.gmp-widevinecdm.enabled", false); // disable DRM HTML5 content user_pref("media.gmp-widevinecdm.visible", false); user_pref("media.gmp.storage.version.observed", 1); user_pref("media.gmp.trial-create.enabled", false); -user_pref("media.navigator.enabled", false); // disable media device enumeration +user_pref("media.navigator.enabled", false); // disable media device enumeration user_pref("media.navigator.video.enabled", false); -user_pref("media.ondevicechange.enabled", false); // disable media devices change detection +user_pref("media.ondevicechange.enabled", + false); // disable media devices change detection user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.no_host", true); @@ -373,44 +441,60 @@ user_pref("media.peerconnection.identity.timeout", 1); user_pref("media.peerconnection.turn.disable", true); user_pref("media.peerconnection.use_document_iceservers", false); user_pref("media.peerconnection.video.enabled", false); -user_pref("media.video_stats.enabled", false); // disable video statistics +user_pref("media.video_stats.enabled", false); // disable video statistics user_pref("media.videocontrols.picture-in-picture.video-toggle.enabled", false); -user_pref("media.webspeech.recognition.enable", false); // disable speech recognition -user_pref("media.webspeech.synth.enabled", false); // disable speech synthesis -user_pref("middlemouse.contentLoadURL", false); // disable open URLs from clibpard with middle click +user_pref("media.webspeech.recognition.enable", + false); // disable speech recognition +user_pref("media.webspeech.synth.enabled", false); // disable speech synthesis +user_pref("middlemouse.contentLoadURL", + false); // disable open URLs from clibpard with middle click user_pref("network.IDN_show_punycode", true); // reduce phishing risk -user_pref("network.allow-experiments", false); // disable experiments -user_pref("network.auth.subresource-http-auth-allow", 1); // disable non-secure authentication -user_pref("network.captive-portal-service.enabled", false); // disable captive portal helper -user_pref("network.connectivity-service.enabled", false); // disable network connectivity checks -user_pref("network.connectivity-service.enabled", false); // don't help with captive portals -user_pref("network.cookie.leave-secure-alone", true); // disable non-secure sites setting secure cookies +user_pref("network.allow-experiments", false); // disable experiments +user_pref("network.auth.subresource-http-auth-allow", + 1); // disable non-secure authentication +user_pref("network.captive-portal-service.enabled", + false); // disable captive portal helper +user_pref("network.connectivity-service.enabled", + false); // disable network connectivity checks +user_pref("network.connectivity-service.enabled", + false); // don't help with captive portals +user_pref("network.cookie.leave-secure-alone", + true); // disable non-secure sites setting secure cookies user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); user_pref("network.cookie.thirdparty.sessionOnly", true); -user_pref("network.dns.disablePrefetch", true); // disable DNS prefetch +user_pref("network.dns.disablePrefetch", true); // disable DNS prefetch user_pref("network.dns.disablePrefetchFromHTTPS", true); -user_pref("network.file.disable_unc_paths", true); // disable Uniform Naming Convention paths -user_pref("network.ftp.enabled", false); // disable FTP -user_pref("network.gio.supported-protocols", ""); // disable Gvfs/GIO -user_pref("network.http.altsvc.enabled", false); // disable HTTP Alternative Services +user_pref("network.file.disable_unc_paths", + true); // disable Uniform Naming Convention paths +user_pref("network.ftp.enabled", false); // disable FTP +user_pref("network.gio.supported-protocols", ""); // disable Gvfs/GIO +user_pref("network.http.altsvc.enabled", + false); // disable HTTP Alternative Services user_pref("network.http.altsvc.oe", false); -user_pref("network.http.redirection-limit", 5); // limit HTTP redirects -user_pref("network.http.referer.XOriginPolicy", 1); // only send Referer to same domain +user_pref("network.http.redirection-limit", 5); // limit HTTP redirects +user_pref("network.http.referer.XOriginPolicy", + 1); // only send Referer to same domain user_pref("network.http.referer.hideOnionSource", true); -user_pref("network.http.spdy.enabled", false); // disable HTTP2 +user_pref("network.http.spdy.enabled", false); // disable HTTP2 user_pref("network.http.spdy.enabled.deps", false); user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.websockets", false); -user_pref("network.http.speculative-parallel-limit", 0); // disable speculative loading +user_pref("network.http.speculative-parallel-limit", + 0); // disable speculative loading user_pref("network.jar.open-unsafe-types", false); -user_pref("network.manage-offline-status", false); // do not monitor OS connection state -user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // disable NTLMv1 -user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); // disable all NTLM +user_pref("network.manage-offline-status", + false); // do not monitor OS connection state +user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", + false); // disable NTLMv1 +user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", + false); // disable all NTLM user_pref("network.predictor.cleaned-up", true); -user_pref("network.predictor.enable-prefetch", false); // disable prefetching -user_pref("network.predictor.enabled", false); // disable "Necko" predictive service -user_pref("network.prefetch-next", false); // disable prefetching -user_pref("network.protocol-handler.expose-all", false); // whitelist URL handlers +user_pref("network.predictor.enable-prefetch", false); // disable prefetching +user_pref("network.predictor.enabled", + false); // disable "Necko" predictive service +user_pref("network.prefetch-next", false); // disable prefetching +user_pref("network.protocol-handler.expose-all", + false); // whitelist URL handlers user_pref("network.protocol-handler.expose.about", true); user_pref("network.protocol-handler.expose.blob", true); user_pref("network.protocol-handler.expose.chrome", true); @@ -433,12 +517,12 @@ user_pref("network.protocol-handler.external.javascript", false); user_pref("network.protocol-handler.external.moz-extension", false); user_pref("network.protocol-handler.external.ms-windows-store", false); user_pref("network.protocol-handler.warn-external-default", true); -user_pref("network.stricttransportsecurity.preloadlist", true); // preload HSTS +user_pref("network.stricttransportsecurity.preloadlist", true); // preload HSTS user_pref("network.trr.bootstrapAddress", ""); -user_pref("network.trr.mode", 0); // disable trusted recursive resolver +user_pref("network.trr.mode", 0); // disable trusted recursive resolver user_pref("network.trr.uri", ""); user_pref("offline-apps.allow_by_default", false); -user_pref("pdfjs.disabled", true); // disable PDF viewer +user_pref("pdfjs.disabled", true); // disable PDF viewer user_pref("pdfjs.enableWebGL", false); user_pref("pdfjs.migrationVersion", 2); user_pref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); @@ -450,16 +534,19 @@ user_pref("permissions.default.microphone", 2); user_pref("permissions.default.shortcuts", 2); user_pref("permissions.default.xr", 2); user_pref("permissions.manager.defaultsUrl", ""); -user_pref("permissions.memory_only", true); // disable storing permission changes to disk +user_pref("permissions.memory_only", + true); // disable storing permission changes to disk user_pref("plugin.default.state", 0); user_pref("plugin.defaultXpi.state", 0); user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf"); -user_pref("plugin.scan.plid.all", false); // disable plugin scan -user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0); // always ask for activation -user_pref("plugin.state.flash", 0); // disable flash +user_pref("plugin.scan.plid.all", false); // disable plugin scan +user_pref("plugin.sessionPermissionNow.intervalInMinutes", + 0); // always ask for activation +user_pref("plugin.state.flash", 0); // disable flash user_pref("plugin.state.java", 0); // disable java -user_pref("plugin.state.libgnome-shell-browser-plugin", 0); // disable gnome shell integration -user_pref("plugins.click_to_play", true); // require plugin activation +user_pref("plugin.state.libgnome-shell-browser-plugin", + 0); // disable gnome shell integration +user_pref("plugins.click_to_play", true); // require plugin activation user_pref("pref.browser.homepage.disable_button.current_page", false); user_pref("pref.privacy.disable_button.cookie_exceptions", false); user_pref("privacy.clearOnShutdown.cache", true); @@ -475,36 +562,47 @@ user_pref("privacy.cpd.formdata", true); user_pref("privacy.cpd.offlineApps", true); user_pref("privacy.cpd.sessions", true); user_pref("privacy.history.custom", true); -user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // disable mozAddonManager +user_pref("privacy.resistFingerprinting.block_mozAddonManager", + true); // disable mozAddonManager user_pref("privacy.sanitize.pending", "[]"); -user_pref("privacy.sanitize.timeSpan", 0); // set default clear history range to all time +user_pref("privacy.sanitize.timeSpan", + 0); // set default clear history range to all time user_pref("privacy.trackingprotection.cryptomining.enabled", true); -user_pref("privacy.trackingprotection.enabled", true); // https://wiki.mozilla.org/Security/Tracking_protection +user_pref("privacy.trackingprotection.enabled", + true); // https://wiki.mozilla.org/Security/Tracking_protection user_pref("privacy.trackingprotection.fingerprinting.enabled", true); user_pref("privacy.trackingprotection.introCount", 20); user_pref("privacy.trackingprotection.ui.enabled", true); user_pref("privacy.userContext.enabled", true); -user_pref("privacy.userContext.longPressBehavior", 2); // long-press on + tab button to open container menu -user_pref("privacy.userContext.ui.enabled", true); // enable container tabs setting +user_pref("privacy.userContext.longPressBehavior", + 2); // long-press on + tab button to open container menu +user_pref("privacy.userContext.ui.enabled", + true); // enable container tabs setting user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); -user_pref("security.cert_pinning.enforcement_level", 2); // strict pinning enforcement -user_pref("security.csp.enable", true); // enforce Content Security Policy -user_pref("security.csp.experimentalEnabled", true); // enable experimental CSP features +user_pref("security.cert_pinning.enforcement_level", + 2); // strict pinning enforcement +user_pref("security.csp.enable", true); // enforce Content Security Policy +user_pref("security.csp.experimentalEnabled", + true); // enable experimental CSP features user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); user_pref("security.fileuri.strict_origin_policy", true); user_pref("security.insecure_connection_icon.enabled", true); user_pref("security.insecure_connection_text.enabled", true); user_pref("security.insecure_field_warning.contextual.enabled", true); -user_pref("security.insecure_password.ui.enabled", true); // warn on non-secure forms -user_pref("security.mixed_content.block_active_content", true); // disable insecure content on HTTPS pages +user_pref("security.insecure_password.ui.enabled", + true); // warn on non-secure forms +user_pref("security.mixed_content.block_active_content", + true); // disable insecure content on HTTPS pages user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); -user_pref("security.pki.sha1_enforcement_level", 1); // block SHA1 certs -user_pref("security.sri.enable", true); // enable Subresource Integrity -user_pref("security.ssl.disable_session_identifiers", true); // disable SSL Session IDs +user_pref("security.pki.sha1_enforcement_level", 1); // block SHA1 certs +user_pref("security.sri.enable", true); // enable Subresource Integrity +user_pref("security.ssl.disable_session_identifiers", + true); // disable SSL Session IDs user_pref("security.ssl.enable_ocsp_must_staple", true); user_pref("security.ssl.enable_ocsp_stapling", true); -user_pref("security.ssl.errorReporting.automatic", false); // do not report TLS errors +user_pref("security.ssl.errorReporting.automatic", + false); // do not report TLS errors user_pref("security.ssl.errorReporting.enabled", false); user_pref("security.ssl.errorReporting.url", ""); user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); @@ -554,9 +652,11 @@ user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_40_md5", false); user_pref("security.ssl3.rsa_seed_sha", false); -user_pref("security.tls.enable_0rtt_data", false); // disable TLS1.3 0-RTT -user_pref("security.tls.version.fallback-limit", 3); // disable insecure fallback -user_pref("security.xpconnect.plugin.unrestricted", false); // disable scripting of plugins by javascript +user_pref("security.tls.enable_0rtt_data", false); // disable TLS1.3 0-RTT +user_pref("security.tls.version.fallback-limit", + 3); // disable insecure fallback +user_pref("security.xpconnect.plugin.unrestricted", + false); // disable scripting of plugins by javascript user_pref("services.blocklist.update_enabled", true); user_pref("services.sync.clients.lastSync", "0"); user_pref("services.sync.declinedEngines", ""); @@ -564,23 +664,24 @@ user_pref("services.sync.globalScore", 0); user_pref("services.sync.nextSync", 0); user_pref("services.sync.tabs.lastSync", "0"); user_pref("shield.savant.enabled", false); -user_pref("shumway.disabled", true); // disable Mozilla Flash +user_pref("shumway.disabled", true); // disable Mozilla Flash user_pref("signon.autofillForms", false); user_pref("signon.autofillForms.http", false); user_pref("signon.formlessCapture.enabled", false); -user_pref("signon.rememberSignons", false); // disable saving passwords +user_pref("signon.rememberSignons", false); // disable saving passwords user_pref("startup.homepage_override_url", ""); user_pref("startup.homepage_welcome_url", ""); user_pref("startup.homepage_welcome_url.additional", ""); -user_pref("toolkit.cosmeticAnimations.enabled", false); // disable animations +user_pref("toolkit.cosmeticAnimations.enabled", false); // disable animations user_pref("toolkit.coverage.endpoint.base", ""); -user_pref("toolkit.coverage.opt-out", true); // disable telemetry coverage +user_pref("toolkit.coverage.opt-out", true); // disable telemetry coverage user_pref("toolkit.crashreporter.infoURL", ""); user_pref("toolkit.telemetry.archive.enabled", false); user_pref("toolkit.telemetry.bhrPing.enabled", false); user_pref("toolkit.telemetry.cachedClientID", ""); -user_pref("toolkit.telemetry.coverage.opt-out", true); // disable telemetry coverage -user_pref("toolkit.telemetry.enabled", false); // disable Mozilla telemetry +user_pref("toolkit.telemetry.coverage.opt-out", + true); // disable telemetry coverage +user_pref("toolkit.telemetry.enabled", false); // disable Mozilla telemetry user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); user_pref("toolkit.telemetry.hybridContent.enabled", false); user_pref("toolkit.telemetry.infoURL", ""); @@ -591,17 +692,20 @@ user_pref("toolkit.telemetry.rejected", true); user_pref("toolkit.telemetry.reportingpolicy.firstRun", false); user_pref("toolkit.telemetry.server", "data:,"); user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); -user_pref("toolkit.telemetry.unified", false); // disable telemetry +user_pref("toolkit.telemetry.unified", false); // disable telemetry user_pref("toolkit.telemetry.updatePing.enabled", false); -user_pref("toolkit.winRegisterApplicationRestart", false); // disable session restore -user_pref("ui.key.menuAccessKey", 0); // disable Alt key for menu -user_pref("ui.use_standins_for_native_colors", true); // disable exposing system colors to canvas +user_pref("toolkit.winRegisterApplicationRestart", + false); // disable session restore +user_pref("ui.key.menuAccessKey", 0); // disable Alt key for menu +user_pref("ui.use_standins_for_native_colors", + true); // disable exposing system colors to canvas user_pref("webchannel.allowObject.urlWhitelist", ""); -user_pref("webgl.disable-extensions", true); // disable Web Graphics Library +user_pref("webgl.disable-extensions", true); // disable Web Graphics Library user_pref("webgl.disable-fail-if-major-performance-caveat", true); -user_pref("webgl.disabled", true); // disable WebGL +user_pref("webgl.disabled", true); // disable WebGL user_pref("webgl.dxgl.enabled", false); -user_pref("webgl.enable-debug-renderer-info", false); // do not expose graphics driver information +user_pref("webgl.enable-debug-renderer-info", + false); // do not expose graphics driver information user_pref("webgl.enable-webgl2", false); user_pref("webgl.min_capability_mode", true); -user_pref("xpinstall.signatures.required", true); // extensions must be signed +user_pref("xpinstall.signatures.required", true); // extensions must be signed diff --git a/gitconfig b/gitconfig index 6431952..804ea09 100644 --- a/gitconfig +++ b/gitconfig @@ -14,4 +14,4 @@ fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin - merge = refs/heads/master \ No newline at end of file + merge = refs/heads/master diff --git a/homebrew.mxcl.dnsmasq.plist b/homebrew.mxcl.dnsmasq.plist index 97ad950..00c5e11 100644 --- a/homebrew.mxcl.dnsmasq.plist +++ b/homebrew.mxcl.dnsmasq.plist @@ -16,4 +16,4 @@ KeepAlive - \ No newline at end of file + diff --git a/scripts/KNOWN_ISSUES b/scripts/KNOWN_ISSUES index 009aad5..edfa77e 100644 --- a/scripts/KNOWN_ISSUES +++ b/scripts/KNOWN_ISSUES @@ -1,4 +1,4 @@ Known Issues: -Automation of the password policy remediation is not currently implemented in the compliance script. -The path to your pwpolicy.xml must be defined in the compliance script in the variables section, line 433. \ No newline at end of file +Automation of the password policy remediation is not currently implemented in the compliance script. +The path to your pwpolicy.xml must be defined in the compliance script in the variables section, line 433. diff --git a/scripts/anon.sh b/scripts/anon.sh index f166073..619caeb 100644 --- a/scripts/anon.sh +++ b/scripts/anon.sh @@ -141,7 +141,7 @@ sudo lsof +c 15 -Pni UDP:5355 brew install obfs4proxy torrc.sample cp /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc -# edit torrc +# edit torrc # Using Bridges, obsf4 #UseBridges 1 #ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed @@ -161,7 +161,7 @@ brew install dnsmasq curl -o homebrew/etc/dnsmasq.conf https://raw.githubusercontent.com/drduh/config/master/dnsmasq.conf sudo brew services start dnsmasq sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1 -# # Install dnsmasq +# # Install dnsmasq # Configure resolver #[ -d /etc/resolver ] || sudo mkdir -v /etc/resolver #sudo bash -c 'echo "nameserver 127.0.0.1" > /etc/resolver/dnsmasq' @@ -1145,4 +1145,4 @@ user_pref("webgl.dxgl.enabled", false); user_pref("webgl.enable-debug-renderer-info", false); // do not expose graphics driver information user_pref("webgl.enable-webgl2", false); user_pref("webgl.min_capability_mode", true); -user_pref("xpinstall.signatures.required", true); // extensions must be signed \ No newline at end of file +user_pref("xpinstall.signatures.required", true); // extensions must be signed diff --git a/scripts/argparse-example.sh b/scripts/argparse-example.sh index cf3b4d5..d3f71ca 100644 --- a/scripts/argparse-example.sh +++ b/scripts/argparse-example.sh @@ -17,7 +17,7 @@ function parse_args { # positional args args=() - + # named args while [ "$1" != "" ]; do case "$1" in @@ -29,21 +29,21 @@ function parse_args esac shift # move to next kv pair done - + # restore positional args set -- "${args[@]}" - + # set positionals to vars positional_1="${args[0]}" positional_2="${args[1]}" - + # validate required args if [[ -z "${an_arg}" || -z "${some_more_args}" ]]; then echo "Invalid arguments" usage exit; fi - + # set defaults if [[ -z "$yet_more_args" ]]; then yet_more_args="a default value"; @@ -54,11 +54,11 @@ function parse_args function run { parse_args "$@" - + echo "you passed in...\n" echo "positional arg 1: $positional_1" echo "positional arg 2: $positional_2" - + echo "named arg: an_arg: $an_arg" echo "named arg: some_more_args: $some_more_args" echo "named arg: yet_more_args: $yet_more_args" @@ -66,4 +66,4 @@ function run -run "$@"; \ No newline at end of file +run "$@"; diff --git a/scripts/base.sh b/scripts/base.sh index 9b4408e..d2dd328 100644 --- a/scripts/base.sh +++ b/scripts/base.sh @@ -1,7 +1,7 @@ #! /bin/bash # Bash shell script template for readability CLI # https://github.com/vorachet/bash-cli-template -# MIT License +# MIT License # Tested with GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15) BASH_CLI_ALL_ARGS=${@:2} @@ -13,18 +13,18 @@ do echo "BASH_CLI_OPT_DATA_TYPE[$i]=\"\" empty string is not allowed." echo "The value must be one of these: \"string\", \"boolean\", or \"cmd\"" exit - else - if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "string" ] ; then + else + if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "string" ] ; then BASH_CLI_OPT_VALUE[$i]="" - elif [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "boolean" ] ; then + elif [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "boolean" ] ; then BASH_CLI_OPT_VALUE[$i]=false - elif [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "cmd" ] ; then + elif [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "cmd" ] ; then BASH_CLI_OPT_VALUE[$i]="wait" - else + else echo "BASH_CLI_OPT_DATA_TYPE[$i]=${BASH_CLI_OPT_DATA_TYPE[$i]} is not allowed." echo "The value must be one of these: \"string\", \"boolean\", or \"cmd\"" exit - fi + fi fi done @@ -33,7 +33,7 @@ for i in "${!BASH_CLI_OPT_NAME[@]}" do if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" != "cmd" ]; then SPECLINES+=" \t[${BASH_CLI_OPT_NAME[$i]}|${BASH_CLI_OPT_ALT_NAME[$i]} <${BASH_CLI_OPT_DESC[$i]}>]\n" - fi + fi done SPECLINES+=" \t[-h|--help]\n" @@ -42,11 +42,11 @@ SCRIPT_CMDS="" for i in "${!BASH_CLI_OPT_DATA_TYPE[@]}" do if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" != "cmd" ]; then - SCRIPT_OPTIONS="${SCRIPT_OPTIONS} + SCRIPT_OPTIONS="${SCRIPT_OPTIONS} \t ${BASH_CLI_OPT_NAME[$i]} \n" - else + else - SCRIPT_CMDS="${SCRIPT_CMDS} + SCRIPT_CMDS="${SCRIPT_CMDS} \t${BASH_CLI_OPT_NAME[$i]} | ${BASH_CLI_OPT_ALT_NAME[$i]} \t ${BASH_CLI_OPT_DESC[$i]} \n" fi @@ -58,7 +58,7 @@ function help { ${SCRIPT_CMDS} " } - + if [ $# -eq 0 ]; then help exit @@ -67,26 +67,26 @@ fi while [ "$1" != "" ]; do for i in ${!BASH_CLI_OPT_NAME[@]} do - if [[ ( "${BASH_CLI_OPT_NAME[$i]}" == "$1" ) || + if [[ ( "${BASH_CLI_OPT_NAME[$i]}" == "$1" ) || ( "${BASH_CLI_OPT_ALT_NAME[$i]}" == "$1" ) ]] ; then - if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "string" ] ; then - if [[ ( ${2:0:1} == "-" ) || ( ${2:0:1} == "") ]] ; then + if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "string" ] ; then + if [[ ( ${2:0:1} == "-" ) || ( ${2:0:1} == "") ]] ; then BASH_CLI_OPT_VALUE[$i]='' - else - BASH_CLI_OPT_VALUE[$i]=$2 + else + BASH_CLI_OPT_VALUE[$i]=$2 shift fi - fi + fi - if [ ${BASH_CLI_OPT_DATA_TYPE[$i]} == "boolean" ] ; then + if [ ${BASH_CLI_OPT_DATA_TYPE[$i]} == "boolean" ] ; then BASH_CLI_OPT_VALUE[$i]=true - fi + fi - if [ ${BASH_CLI_OPT_DATA_TYPE[$i]} == "cmd" ] ; then + if [ ${BASH_CLI_OPT_DATA_TYPE[$i]} == "cmd" ] ; then BASH_CLI_OPT_VALUE[$i]="invoked" - fi - - else + fi + + else if [[ ( "$1" == "-h" ) || ( "$1" == "--help" ) ]] ; then help exit @@ -103,7 +103,7 @@ validate_mandatory_options(){ do if [ "${BASH_CLI_OPT_DATA_TYPE[$i]}" == "boolean" ]; then echo -e "\n Warning!! \n" - echo -e "\t Please check your script implementation" + echo -e "\t Please check your script implementation" echo -e "\t All mandatory options (BASH_CLI_MANDATORY_PARAM[]) must be configured with string datatype option" echo -e "\t BASH_CLI_OPT_NAME[$i]=\"${BASH_CLI_OPT_NAME[$i]}\" is currently using boolean data type and it does not allow to be a mandatory option" echo -e "\n" @@ -133,7 +133,7 @@ show_optional_parameters() { local options for i in $(echo "${BASH_CLI_NON_MANDATORY_PARAM[$BASH_CLI_CURRENT_CMD_INDEX]}" | tr "," "\n") do - options="${options} ${BASH_CLI_OPT_NAME[$i]}" + options="${options} ${BASH_CLI_OPT_NAME[$i]}" done echo -e "\n\tAll optional parameters of this command: ${options}" @@ -141,7 +141,7 @@ show_optional_parameters() { for i in $(echo ${BASH_CLI_NON_MANDATORY_PARAM[$BASH_CLI_CURRENT_CMD_INDEX]} | tr "," "\n") do echo -e "\t\t${BASH_CLI_OPT_NAME[$i]} ${BASH_CLI_OPT_VALUE[$i]}" - done + done } process() { @@ -153,14 +153,13 @@ process() { if [ "${BASH_CLI_OPT_VALUE[$j]}" == "invoked" ]; then BASH_CLI_CURRENT_CMD_INDEX=$j validate_mandatory_options - ${BASH_CLI_OPT_NAME[$BASH_CLI_CURRENT_CMD_INDEX]} + ${BASH_CLI_OPT_NAME[$BASH_CLI_CURRENT_CMD_INDEX]} # ${BASH_CLI_OPT_NAME[$BASH_CLI_CURRENT_CMD_INDEX]} "${BASH_CLI_ALL_ARGS}" break fi - + fi done } process $BASH_CLI_ALL_ARGS - diff --git a/scripts/better-anonymity.sh b/scripts/better-anonymity.sh index 41bf98e..8725cc2 100644 --- a/scripts/better-anonymity.sh +++ b/scripts/better-anonymity.sh @@ -16,18 +16,18 @@ fi " 3.4.10 OpenSSH -The implementation of OpenSSH that is included with macOS does not use a -FIPS 140-2 validated cryptographic module. Organizations can reference -FIPS 140-2 Annex A for a list of FIPS 140-2 approved algorithms that -can be configured for use with OpenSSH -(https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf). +The implementation of OpenSSH that is included with macOS does not use a +FIPS 140-2 validated cryptographic module. Organizations can reference +FIPS 140-2 Annex A for a list of FIPS 140-2 approved algorithms that +can be configured for use with OpenSSH +(https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf). OpenSSH should not be used unless approved by the AO. " # --------------------------------------------------------- # -----------------------SECURITY-------------------------- -# Anti-malware software, Antivirus software, Data masking -# software, Data loss prevention, Event management +# Anti-malware software, Antivirus software, Data masking +# software, Data loss prevention, Event management # software, access management # Identifiable, but not accessible. # --------------------------------------------------------- @@ -131,9 +131,9 @@ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.c # --------------------------------------------------------- # ------------------------PRIVACY-------------------------- -# Ad and tracker blockers, Browser extensions/add-ons, -# Email services, Encrypted messaging, File encryption -# software, Password managers, Private browsers, +# Ad and tracker blockers, Browser extensions/add-ons, +# Email services, Encrypted messaging, File encryption +# software, Password managers, Private browsers, # Private search engines, Web proxies # Accessible, but not identifiable. # --------------------------------------------------------- @@ -806,7 +806,7 @@ echo '--- Remove Apple Remote Desktop Settings' sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist -sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ +sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktop # ---------------------------------------------------------- @@ -892,4 +892,4 @@ sudo mdutil -i off -d / # - https://anonymousplanet.org/guide.html # - https://github.com/Anon-Planet/thgtoa # - https://github.com/spix-777/annNet -# --------------------------------------------------------- \ No newline at end of file +# --------------------------------------------------------- diff --git a/scripts/cli.sh b/scripts/cli.sh index b5d8b8d..d93adcc 100644 --- a/scripts/cli.sh +++ b/scripts/cli.sh @@ -62,7 +62,7 @@ function _os_help(){ printf "%-40s %s\n" " ├── $(colorize 'cyan' 'version')" "show / check the version"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'update')" "update the OS"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'info')" "more info about OS"; - + printf "%-40s %s\n" " └── $(colorize 'cyan' 'info')" "more info about OS"; } @@ -71,7 +71,7 @@ function _docker_help(){ printf "%-40s %s\n" " ├── $(colorize 'cyan' 'install')" "install docker"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'remove')" "uninstall docker"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'compose')" "install docker-compose"; - + printf "%-40s %s\n" " └── $(colorize 'cyan' 'kubectl')" "install kubernetes"; } @@ -81,7 +81,7 @@ function _port_help(){ printf "%-40s %s\n" " ├── $(colorize 'cyan' 'start')" "start all firewalls"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'disable')" "disable all firewalls"; printf "%-40s %s\n" " ├── $(colorize 'cyan' 'enable')" "enable all firewalls"; - + printf "%-40s %s\n" " └── $(colorize 'yellow' '')" "open this port"; } @@ -179,4 +179,4 @@ for arg in "${ARGS[@]}"; do echo "unknown options: ${_options_[0]}"; ;; esac -done \ No newline at end of file +done diff --git a/scripts/dnsmasq-dhcp.sh b/scripts/dnsmasq-dhcp.sh index 74a98fd..de18a1d 100644 --- a/scripts/dnsmasq-dhcp.sh +++ b/scripts/dnsmasq-dhcp.sh @@ -1,4 +1,4 @@ #!/bin/sh touch /var/log/dnsmasq-dhcp -echo "$(date) -- ${1} ${2} ${3} ${4}" >> /var/log/dnsmasq-dhcp \ No newline at end of file +echo "$(date) -- ${1} ${2} ${3} ${4}" >> /var/log/dnsmasq-dhcp diff --git a/scripts/enablePF-mscp.sh b/scripts/enablePF-mscp.sh index ade1986..f47035c 100644 --- a/scripts/enablePF-mscp.sh +++ b/scripts/enablePF-mscp.sh @@ -4,9 +4,9 @@ enable_macos_application_firewall () { /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail + /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on - /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on + /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp on } @@ -35,7 +35,7 @@ enable_pf_firewall_with_macsec_rules () { launchctl enable system/macsec.pfctl launchctl bootstrap system $macsec_pfctl_plist - pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) + pfctl -f /etc/pf.conf 2> /dev/null #flush the pf ruleset (reload the rules) } @@ -147,7 +147,7 @@ block log proto tcp to any port 540 ENDCONFIG } -#### +#### enable_macos_application_firewall create_macsec_pf_anchors diff --git a/scripts/generate_baseline.py b/scripts/generate_baseline.py index c5d5bbf..508fa48 100755 --- a/scripts/generate_baseline.py +++ b/scripts/generate_baseline.py @@ -2,15 +2,33 @@ # filename: generate_guidance.py # description: Process a given keyword, and output a baseline file -import os.path +import argparse import glob import os +import os.path + import yaml -import argparse -class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, disa_stig, srg, tags, result_value, mobileconfig, mobileconfig_info): +class MacSecurityRule: + def __init__( + self, + title, + rule_id, + severity, + discussion, + check, + fix, + cci, + cce, + nist_controls, + disa_stig, + srg, + tags, + result_value, + mobileconfig, + mobileconfig_info, + ): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -41,16 +59,18 @@ def create_asciidoc(self, adoc_rule_template): rule_80053r4=self.rule_80053r4, rule_disa_stig=self.rule_disa_stig, rule_srg=self.rule_srg, - rule_result=self.rule_result_value + rule_result=self.rule_result_value, ) return rule_adoc def get_rule_yaml(rule_file, custom=False): - """ Takes a rule file, checks for a custom version, and returns the yaml for the rule - """ + """Takes a rule file, checks for a custom version, and returns the yaml for the rule""" resulting_yaml = {} - names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] + names = [ + os.path.basename(x) + for x in glob.glob("../custom/rules/**/*.yaml", recursive=True) + ] file_name = os.path.basename(rule_file) # if file_name in names: # print(f"Custom settings found for rule: {rule_file}") @@ -68,21 +88,27 @@ def get_rule_yaml(rule_file, custom=False): if custom: print(f"Custom settings found for rule: {rule_file}") try: - override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + override_path = glob.glob( + "../custom/rules/**/{}".format(file_name), recursive=True + )[0] except IndexError: - override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + override_path = glob.glob( + "../custom/rules/{}".format(file_name), recursive=True + )[0] with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: - og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + og_rule_path = glob.glob("../rules/**/{}".format(file_name), recursive=True)[0] except IndexError: - #assume this is a completely new rule - og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] - + # assume this is a completely new rule + og_rule_path = glob.glob( + "../custom/rules/**/{}".format(file_name), recursive=True + )[0] + # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) @@ -94,87 +120,108 @@ def get_rule_yaml(rule_file, custom=False): resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] else: resulting_yaml[yaml_field] = rule_yaml[yaml_field] - if 'customized' in resulting_yaml: - resulting_yaml['customized'].append("customized {}".format(yaml_field)) + if "customized" in resulting_yaml: + resulting_yaml["customized"].append( + "customized {}".format(yaml_field) + ) else: - resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + resulting_yaml["customized"] = ["customized {}".format(yaml_field)] except KeyError: resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] return resulting_yaml + def collect_rules(): - """Takes a baseline yaml file and parses the rules, returns a list of containing rules - """ + """Takes a baseline yaml file and parses the rules, returns a list of containing rules""" all_rules = [] - #expected keys and references - keys = ['mobileconfig', - 'macOS', - 'severity', - 'title', - 'check', - 'fix', - 'tags', - 'id', - 'references', - 'result', - 'discussion'] - references = ['disa_stig', - 'cci', - 'cce', - '800-53r4', - 'srg'] - - - for rule in glob.glob('../rules/**/*.yaml',recursive=True) + glob.glob('../custom/rules/**/*.yaml',recursive=True): + # expected keys and references + keys = [ + "mobileconfig", + "macOS", + "severity", + "title", + "check", + "fix", + "tags", + "id", + "references", + "result", + "discussion", + ] + references = ["disa_stig", "cci", "cce", "800-53r4", "srg"] + + for rule in glob.glob("../rules/**/*.yaml", recursive=True) + glob.glob( + "../custom/rules/**/*.yaml", recursive=True + ): rule_yaml = get_rule_yaml(rule, custom=False) for key in keys: try: rule_yaml[key] except: - #print "{} key missing ..for {}".format(key, rule) + # print "{} key missing ..for {}".format(key, rule) rule_yaml.update({key: "missing"}) if key == "references": for reference in references: try: rule_yaml[key][reference] except: - #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) + # print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) - - all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), - rule_yaml['id'].replace('|', '\|'), - rule_yaml['severity'].replace('|', '\|'), - rule_yaml['discussion'].replace('|', '\|'), - rule_yaml['check'].replace('|', '\|'), - rule_yaml['fix'].replace('|', '\|'), - rule_yaml['references']['cci'], - rule_yaml['references']['cce'], - rule_yaml['references']['800-53r4'], - rule_yaml['references']['disa_stig'], - rule_yaml['references']['srg'], - rule_yaml['tags'], - rule_yaml['result'], - rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'] - )) + + all_rules.append( + MacSecurityRule( + rule_yaml["title"].replace("|", "\|"), + rule_yaml["id"].replace("|", "\|"), + rule_yaml["severity"].replace("|", "\|"), + rule_yaml["discussion"].replace("|", "\|"), + rule_yaml["check"].replace("|", "\|"), + rule_yaml["fix"].replace("|", "\|"), + rule_yaml["references"]["cci"], + rule_yaml["references"]["cce"], + rule_yaml["references"]["800-53r4"], + rule_yaml["references"]["disa_stig"], + rule_yaml["references"]["srg"], + rule_yaml["tags"], + rule_yaml["result"], + rule_yaml["mobileconfig"], + rule_yaml["mobileconfig_info"], + ) + ) return all_rules + def create_args(): - """configure the arguments used in the script, returns the parsed arguments - """ + """configure the arguments used in the script, returns the parsed arguments""" parser = argparse.ArgumentParser( - description='Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag.') - parser.add_argument("-c", "--controls", default=None, - help="Output the 800-53 controls covered by the rules.", action="store_true") - parser.add_argument("-k", "--keyword", default=None, - help="Keyword tag to collect rules containing the tag.", action="store") - parser.add_argument("-l", "--list_tags", default=None, - help="List the available keyword tags to search for.", action="store_true") - + description="Given a keyword tag, generate a generic baseline.yaml file containing rules with the tag." + ) + parser.add_argument( + "-c", + "--controls", + default=None, + help="Output the 800-53 controls covered by the rules.", + action="store_true", + ) + parser.add_argument( + "-k", + "--keyword", + default=None, + help="Keyword tag to collect rules containing the tag.", + action="store", + ) + parser.add_argument( + "-l", + "--list_tags", + default=None, + help="List the available keyword tags to search for.", + action="store_true", + ) + return parser.parse_args() + def section_title(section_name): titles = { "auth": "authentication", @@ -183,25 +230,25 @@ def section_title(section_name): "pwpolicy": "passwordpolicy", "icloud": "icloud", "sysprefs": "systempreferences", - "srg": "srg" + "srg": "srg", } if section_name in titles: return titles[section_name] else: return section_name + def get_controls(all_rules): all_controls = [] for rule in all_rules: for control in rule.rule_80053r4: if control not in all_controls: all_controls.append(control) - + all_controls.sort() - + return all_controls - def available_tags(all_rules): all_tags = [] @@ -220,6 +267,7 @@ def available_tags(all_rules): print(tag) return + def output_baseline(rules, os, keyword): inherent_rules = [] permanent_rules = [] @@ -246,10 +294,10 @@ def output_baseline(rules, os, keyword): sections.append(section_name) output_text = f'title: "macOS {os}: Security Configuration - {keyword}"\n' - output_text += f'description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n' - output_text += f'authors: |\n |===\n |Name|Organization\n |===\n' - output_text += 'profile:\n' - + output_text += f"description: |\n This guide describes the actions to take when securing a macOS {os} system against the {keyword} baseline.\n" + output_text += f"authors: |\n |===\n |Name|Organization\n |===\n" + output_text += "profile:\n" + # sort the rules other_rules.sort() inherent_rules.sort() @@ -259,41 +307,40 @@ def output_baseline(rules, os, keyword): if len(other_rules) > 0: for section in sections: - output_text += (' - section: "{}"\n'.format(section_title(section))) - output_text += (" rules:\n") + output_text += ' - section: "{}"\n'.format(section_title(section)) + output_text += " rules:\n" for rule in other_rules: if rule.startswith(section): - output_text += (" - {}\n".format(rule)) - + output_text += " - {}\n".format(rule) + if len(inherent_rules) > 0: - output_text += (' - section: "Inherent"\n') - output_text += (" rules:\n") + output_text += ' - section: "Inherent"\n' + output_text += " rules:\n" for rule in inherent_rules: - output_text += (" - {}\n".format(rule)) + output_text += " - {}\n".format(rule) if len(permanent_rules) > 0: - output_text += (' - section: "Permanent"\n') - output_text += (" rules:\n") + output_text += ' - section: "Permanent"\n' + output_text += " rules:\n" for rule in permanent_rules: - output_text += (" - {}\n".format(rule)) + output_text += " - {}\n".format(rule) if len(na_rules) > 0: - output_text += (' - section: "not_applicable"\n') - output_text += (" rules: \n") + output_text += ' - section: "not_applicable"\n' + output_text += " rules: \n" for rule in na_rules: - output_text += (" - {}\n".format(rule)) + output_text += " - {}\n".format(rule) if len(supplemental_rules) > 0: - output_text += (' - section: "Supplemental"\n') - output_text += (" rules:\n") + output_text += ' - section: "Supplemental"\n' + output_text += " rules:\n" for rule in supplemental_rules: - output_text += (" - {}\n".format(rule)) - + output_text += " - {}\n".format(rule) + return output_text def main(): - args = create_args() try: # output_basename = os.path.basename(args.baseline.name) @@ -307,7 +354,7 @@ def main(): # switch to the scripts directory os.chdir(file_dir) - + all_rules = collect_rules() if args.list_tags: @@ -316,26 +363,28 @@ def main(): if args.controls: baselines_file = os.path.join( - parent_dir, 'includes', '800-53_baselines.yaml') - + parent_dir, "includes", "800-53_baselines.yaml" + ) with open(baselines_file) as r: baselines = yaml.load(r, Loader=yaml.SafeLoader) - + included_controls = get_controls(all_rules) needed_controls = [] - - for control in baselines['low']: + + for control in baselines["low"]: if control not in needed_controls: needed_controls.append(control) - + for n_control in needed_controls: if n_control not in included_controls: - print(f'{n_control} missing from any rule, needs a rule, or included in supplemental') + print( + f"{n_control} missing from any rule, needs a rule, or included in supplemental" + ) return - build_path = os.path.join(parent_dir, 'build', 'baselines') + build_path = os.path.join(parent_dir, "build", "baselines") if not (os.path.isdir(build_path)): try: os.makedirs(build_path) @@ -347,7 +396,7 @@ def main(): version_file = os.path.join(parent_dir, "VERSION.yaml") with open(version_file) as r: - version_yaml = yaml.load(r, Loader=yaml.SafeLoader) + version_yaml = yaml.load(r, Loader=yaml.SafeLoader) found_rules = [] for rule in all_rules: @@ -357,15 +406,20 @@ def main(): if "supplemental" in rule.rule_tags: if rule not in found_rules: found_rules.append(rule) - + if args.keyword == None: - print("No rules found for the keyword provided, please verify from the following list:") + print( + "No rules found for the keyword provided, please verify from the following list:" + ) available_tags(all_rules) else: - baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", 'w') - baseline_output_file.write(output_baseline(found_rules, version_yaml["os"], args.keyword)) + baseline_output_file = open(f"{build_path}/{args.keyword}.yaml", "w") + baseline_output_file.write( + output_baseline(found_rules, version_yaml["os"], args.keyword) + ) # finally revert back to the prior directory os.chdir(original_working_directory) + if __name__ == "__main__": main() diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 91a0b42..28725de 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -1,29 +1,51 @@ -#!/usr/bin/env python3 -# filename: generate_guidance.py -# description: Process a given baseline, and output guidance files -import types -import sys -import os.path -import plistlib -import xlwt -import io +import argparse import glob +import io +import logging import os -import yaml +import os.path +import plistlib import re -import argparse import subprocess -import logging +import sys import tempfile -from xlwt import Workbook -from string import Template +#!/usr/bin/env python3 +# filename: generate_guidance.py +# description: Process a given baseline, and output guidance files +import types +from collections import namedtuple from itertools import groupby +from string import Template from uuid import uuid4 -from collections import namedtuple +import xlwt +import yaml +from xlwt import Workbook -class MacSecurityRule(): - def __init__(self, title, rule_id, severity, discussion, check, fix, cci, cce, nist_controls, nist_171, disa_stig, srg, cis, custom_refs, tags, result_value, mobileconfig, mobileconfig_info, customized): + +class MacSecurityRule: + def __init__( + self, + title, + rule_id, + severity, + discussion, + check, + fix, + cci, + cce, + nist_controls, + nist_171, + disa_stig, + srg, + cis, + custom_refs, + tags, + result_value, + mobileconfig, + mobileconfig_info, + customized, + ): self.rule_title = title self.rule_id = rule_id self.rule_severity = severity @@ -59,7 +81,7 @@ def create_asciidoc(self, adoc_rule_template): rule_disa_stig=self.rule_disa_stig, rule_cis=self.rule_cis, rule_srg=self.rule_srg, - rule_result=self.rule_result_value + rule_result=self.rule_result_value, ) return rule_adoc @@ -67,12 +89,15 @@ def create_mobileconfig(self): pass # Convert a list to AsciiDoc + + def ulify(elements): string = "\n" for s in elements: string += "* " + str(s) + "\n" return string + def group_ulify(elements): string = "\n * " for s in elements: @@ -92,14 +117,14 @@ def get_check_code(check_yaml): check_string = check_yaml.split("[source,bash]")[1] except: return check_yaml - #print check_string - check_code = re.search('(?:----((?:.*?\r?\n?)*)----)+', check_string) - #print(check_code.group(1).rstrip()) - return(check_code.group(1).strip()) + # print check_string + check_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", check_string) + # print(check_code.group(1).rstrip()) + return check_code.group(1).strip() def quotify(fix_code): - string = fix_code.replace("'", "\'\"\'\"\'") + string = fix_code.replace("'", "'\"'\"'") string = string.replace("%", "%%") return string @@ -107,96 +132,107 @@ def quotify(fix_code): def get_fix_code(fix_yaml): fix_string = fix_yaml.split("[source,bash]")[1] - fix_code = re.search('(?:----((?:.*?\r?\n?)*)----)+', fix_string) - return(fix_code.group(1)) + fix_code = re.search("(?:----((?:.*?\r?\n?)*)----)+", fix_string) + return fix_code.group(1) def format_mobileconfig_fix(mobileconfig): - """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide. - """ + """Takes a list of domains and setting from a mobileconfig, and reformats it for the output of the fix section of the guide.""" rulefix = "" for domain, settings in mobileconfig.items(): if domain == "com.apple.ManagedClient.preferences": - rulefix = rulefix + \ - (f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types.\n\n") + rulefix = rulefix + ( + f"NOTE: The following settings are in the ({domain}) payload. This payload requires the additional settings to be sub-payloads within, containing their their defined payload types.\n\n" + ) rulefix = rulefix + format_mobileconfig_fix(settings) else: rulefix = rulefix + ( - f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n") + f"Create a configuration profile containing the following keys in the ({domain}) payload type:\n\n" + ) rulefix = rulefix + "[source,xml]\n----\n" for item in settings.items(): rulefix = rulefix + (f"{item[0]}\n") if type(item[1]) == bool: - rulefix = rulefix + \ - (f"<{str(item[1]).lower()}/>\n") + rulefix = rulefix + (f"<{str(item[1]).lower()}/>\n") elif type(item[1]) == list: rulefix = rulefix + "\n" for setting in item[1]: - rulefix = rulefix + \ - (f" {setting}\n") + rulefix = rulefix + (f" {setting}\n") rulefix = rulefix + "\n" elif type(item[1]) == int: - rulefix = rulefix + \ - (f"{item[1]}\n") + rulefix = rulefix + (f"{item[1]}\n") elif type(item[1]) == str: - rulefix = rulefix + \ - (f"{item[1]}\n") + rulefix = rulefix + (f"{item[1]}\n") rulefix = rulefix + "----\n\n" return rulefix + class AdocTemplate: def __init__(self, name, path, template_file): self.name = name self.path = path self.template_file = template_file + class PayloadDict: """Class to create and manipulate Configuration Profiles. The actual plist content can be accessed as a dictionary via the 'data' attribute. """ - def __init__(self, identifier, uuid=False, removal_allowed=False, description='', organization='', displayname=''): + def __init__( + self, + identifier, + uuid=False, + removal_allowed=False, + description="", + organization="", + displayname="", + ): self.data = {} - self.data['PayloadVersion'] = 1 - self.data['PayloadOrganization'] = organization + self.data["PayloadVersion"] = 1 + self.data["PayloadOrganization"] = organization if uuid: - self.data['PayloadUUID'] = uuid + self.data["PayloadUUID"] = uuid else: - self.data['PayloadUUID'] = makeNewUUID() + self.data["PayloadUUID"] = makeNewUUID() if removal_allowed: - self.data['PayloadRemovalDisallowed'] = False + self.data["PayloadRemovalDisallowed"] = False else: - self.data['PayloadRemovalDisallowed'] = True - self.data['PayloadType'] = 'Configuration' - self.data['PayloadScope'] = 'System' - self.data['PayloadDescription'] = description - self.data['PayloadDisplayName'] = displayname - self.data['PayloadIdentifier'] = identifier - self.data['ConsentText'] = {"default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER."} + self.data["PayloadRemovalDisallowed"] = True + self.data["PayloadType"] = "Configuration" + self.data["PayloadScope"] = "System" + self.data["PayloadDescription"] = description + self.data["PayloadDisplayName"] = displayname + self.data["PayloadIdentifier"] = identifier + self.data["ConsentText"] = { + "default": "THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER." + } # An empty list for 'sub payloads' that we'll fill later - self.data['PayloadContent'] = [] + self.data["PayloadContent"] = [] def _updatePayload(self, payload_content_dict, baseline_name): """Update the profile with the payload settings. Takes the settings dictionary which will be the PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive elements. """ - #description = "Configuration settings for the {} preference domain.".format(payload_type) + # description = "Configuration settings for the {} preference domain.".format(payload_type) payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadEnabled'] = True - payload_dict['PayloadType'] = payload_content_dict['PayloadType'] - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" - - payload_dict['PayloadContent'] = payload_content_dict + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadEnabled"] = True + payload_dict["PayloadType"] = payload_content_dict["PayloadType"] + payload_dict[ + "PayloadIdentifier" + ] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + + payload_dict["PayloadContent"] = payload_content_dict # Add the payload to the profile self.data.update(payload_dict) @@ -205,36 +241,40 @@ def _addPayload(self, payload_content_dict, baseline_name): PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive elements. """ - #description = "Configuration settings for the {} preference domain.".format(payload_type) + # description = "Configuration settings for the {} preference domain.".format(payload_type) payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadEnabled'] = True - payload_dict['PayloadType'] = payload_content_dict['PayloadType'] - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" - - payload_dict['PayloadContent'] = payload_content_dict + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadEnabled"] = True + payload_dict["PayloadType"] = payload_content_dict["PayloadType"] + payload_dict[ + "PayloadIdentifier" + ] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + + payload_dict["PayloadContent"] = payload_content_dict # Add the payload to the profile - #print payload_dict - del payload_dict['PayloadContent']['PayloadType'] - self.data['PayloadContent'].append(payload_dict) + # print payload_dict + del payload_dict["PayloadContent"]["PayloadType"] + self.data["PayloadContent"].append(payload_dict) def addNewPayload(self, payload_type, settings, baseline_name): """Add a payload to the profile. Takes the settings dictionary which will be the PayloadContent dict within the payload. Handles the boilerplate, naming and descriptive elements. """ - #description = "Configuration settings for the {} preference domain.".format(payload_type) + # description = "Configuration settings for the {} preference domain.".format(payload_type) payload_dict = {} # Boilerplate - payload_dict['PayloadVersion'] = 1 - payload_dict['PayloadUUID'] = makeNewUUID() - payload_dict['PayloadEnabled'] = True - payload_dict['PayloadType'] = payload_type - payload_dict['PayloadIdentifier'] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" + payload_dict["PayloadVersion"] = 1 + payload_dict["PayloadUUID"] = makeNewUUID() + payload_dict["PayloadEnabled"] = True + payload_dict["PayloadType"] = payload_type + payload_dict[ + "PayloadIdentifier" + ] = f"alacarte.macOS.{baseline_name}.{payload_dict['PayloadUUID']}" # Add the settings to the payload for setting in settings: @@ -243,7 +283,7 @@ def addNewPayload(self, payload_type, settings, baseline_name): # Add the payload to the profile # - self.data['PayloadContent'].append(payload_dict) + self.data["PayloadContent"].append(payload_dict) def addMCXPayload(self, settings, baseline_name): """Add a payload to the profile. Takes the settings dictionary which will be the @@ -255,7 +295,7 @@ def addMCXPayload(self, settings, baseline_name): for key in keys.split(): plist_dict[key] = settings[2] - #description = "Configuration settings for the {} preference domain.".format(payload_type) + # description = "Configuration settings for the {} preference domain.".format(payload_type) payload_dict = {} state = "Forced" @@ -265,43 +305,45 @@ def addMCXPayload(self, settings, baseline_name): payload_dict[domain] = {} payload_dict[domain][state] = [] payload_dict[domain][state].append({}) - payload_dict[domain][state][0]['mcx_preference_settings'] = plist_dict - payload_dict['PayloadType'] = "com.apple.ManagedClient.preferences" + payload_dict[domain][state][0]["mcx_preference_settings"] = plist_dict + payload_dict["PayloadType"] = "com.apple.ManagedClient.preferences" self._addPayload(payload_dict, baseline_name) def finalizeAndSave(self, output_path): - """Perform last modifications and save to configuration profile. - """ + """Perform last modifications and save to configuration profile.""" plistlib.dump(self.data, output_path) print(f"Configuration profile written to {output_path.name}") def finalizeAndSavePlist(self, output_path): - """Perform last modifications and save to an output plist. - """ + """Perform last modifications and save to an output plist.""" output_file_path = output_path.name preferences_path = os.path.dirname(output_file_path) - settings_dict = {} - for i in self.data['PayloadContent']: - if i['PayloadType'] == "com.apple.ManagedClient.preferences": - for key, value in i['PayloadContent'].items(): - domain=key - preferences_output_file = os.path.join(preferences_path, domain + ".plist") + for i in self.data["PayloadContent"]: + if i["PayloadType"] == "com.apple.ManagedClient.preferences": + for key, value in i["PayloadContent"].items(): + domain = key + preferences_output_file = os.path.join( + preferences_path, domain + ".plist" + ) if not os.path.exists(preferences_output_file): - with open(preferences_output_file, 'w'): pass - with open (preferences_output_file, 'rb') as fp: + with open(preferences_output_file, "w"): + pass + with open(preferences_output_file, "rb") as fp: try: settings_dict = plistlib.load(fp) except: settings_dict = {} - with open(preferences_output_file, 'wb') as fp: - for setting in value['Forced']: - for key, value in setting['mcx_preference_settings'].items(): + with open(preferences_output_file, "wb") as fp: + for setting in value["Forced"]: + for key, value in setting[ + "mcx_preference_settings" + ].items(): settings_dict[key] = value - - #preferences_output_path = open(preferences_output_file, 'wb') + + # preferences_output_path = open(preferences_output_file, 'wb') plistlib.dump(settings_dict, fp) print(f"Settings plist written to {preferences_output_file}") settings_dict.clear() @@ -311,26 +353,25 @@ def finalizeAndSavePlist(self, output_path): continue else: if os.path.exists(output_file_path): - with open (output_file_path, 'rb') as fp: + with open(output_file_path, "rb") as fp: try: settings_dict = plistlib.load(fp) except: settings_dict = {} - for key,value in i.items(): + for key, value in i.items(): if not key.startswith("Payload"): settings_dict[key] = value - + plistlib.dump(settings_dict, output_path) print(f"Settings plist written to {output_path.name}") - + def makeNewUUID(): return str(uuid4()) def concatenate_payload_settings(settings): - """Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key - """ + """Takes a list of dictionaries, removed duplicate entries and concatenates an array of settings for the same key""" settings_list = [] settings_dict = {} for item in settings: @@ -345,74 +386,85 @@ def concatenate_payload_settings(settings): return [settings_dict] -def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, hash=''): - """Generate the configuration profiles for the rules in the provided baseline YAML file - """ +def generate_profiles( + baseline_name, build_path, parent_dir, baseline_yaml, signing, hash="" +): + """Generate the configuration profiles for the rules in the provided baseline YAML file""" organization = "macOS Security Compliance Project" displayname = f"macOS {baseline_name} Baseline settings" # import profile_manifests.plist - manifests_file = os.path.join( - parent_dir, 'includes', 'supported_payloads.yaml') + manifests_file = os.path.join(parent_dir, "includes", "supported_payloads.yaml") with open(manifests_file) as r: manifests = yaml.load(r, Loader=yaml.SafeLoader) # Output folder unsigned_mobileconfig_output_path = os.path.join( - f'{build_path}', 'mobileconfigs', 'unsigned') + f"{build_path}", "mobileconfigs", "unsigned" + ) if not (os.path.isdir(unsigned_mobileconfig_output_path)): try: os.makedirs(unsigned_mobileconfig_output_path) except OSError: - print("Creation of the directory %s failed" % - unsigned_mobileconfig_output_path) - + print( + "Creation of the directory %s failed" + % unsigned_mobileconfig_output_path + ) + if signing: signed_mobileconfig_output_path = os.path.join( - f'{build_path}', 'mobileconfigs', 'signed') + f"{build_path}", "mobileconfigs", "signed" + ) if not (os.path.isdir(signed_mobileconfig_output_path)): try: os.makedirs(signed_mobileconfig_output_path) except OSError: - print("Creation of the directory %s failed" % - signed_mobileconfig_output_path) + print( + "Creation of the directory %s failed" + % signed_mobileconfig_output_path + ) settings_plist_output_path = os.path.join( - f'{build_path}', 'mobileconfigs', 'preferences') + f"{build_path}", "mobileconfigs", "preferences" + ) if not (os.path.isdir(settings_plist_output_path)): try: os.makedirs(settings_plist_output_path) except OSError: - print("Creation of the directory %s failed" % - settings_plist_output_path) + print("Creation of the directory %s failed" % settings_plist_output_path) # setup lists and dictionaries profile_errors = [] profile_types = {} mount_controls = {} - for sections in baseline_yaml['profile']: - for profile_rule in sections['rules']: + for sections in baseline_yaml["profile"]: + for profile_rule in sections["rules"]: logging.debug(f"checking for rule file for {profile_rule}") - if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] - custom=True + if glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + ): + rule = glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + )[0] + custom = True logging.debug(f"{rule}") - elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] - custom=False + elif glob.glob("../rules/*/{}.yaml".format(profile_rule)): + rule = glob.glob("../rules/*/{}.yaml".format(profile_rule))[0] + custom = False logging.debug(f"{rule}") - #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): + # for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule_yaml = get_rule_yaml(rule, custom) - - if rule_yaml['mobileconfig']: - for payload_type, info in rule_yaml['mobileconfig_info'].items(): + + if rule_yaml["mobileconfig"]: + for payload_type, info in rule_yaml["mobileconfig_info"].items(): valid = True try: - if payload_type not in manifests['payloads_types']: + if payload_type not in manifests["payloads_types"]: profile_errors.append(rule) raise ValueError( - "{}: Payload Type is not supported".format(payload_type)) + "{}: Payload Type is not supported".format(payload_type) + ) else: pass except (KeyError, ValueError) as e: @@ -422,82 +474,99 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign try: if isinstance(info, list): - raise ValueError( - "Payload key is non-conforming") + raise ValueError("Payload key is non-conforming") else: pass except (KeyError, ValueError) as e: profile_errors.append(rule) logging.debug(e) valid = False - + if valid: if payload_type == "com.apple.systemuiserver": - for setting_key, setting_value in info['mount-controls'].items(): + for setting_key, setting_value in info[ + "mount-controls" + ].items(): mount_controls[setting_key] = setting_value payload_settings = {"mount-controls": mount_controls} - profile_types.setdefault( - payload_type, []).append(payload_settings) + profile_types.setdefault(payload_type, []).append( + payload_settings + ) elif payload_type == "com.apple.ManagedClient.preferences": for payload_domain, settings in info.items(): for key, value in settings.items(): - payload_settings = ( - payload_domain, key, value) - profile_types.setdefault( - payload_type, []).append(payload_settings) + payload_settings = (payload_domain, key, value) + profile_types.setdefault(payload_type, []).append( + payload_settings + ) else: for profile_key, key_value in info.items(): payload_settings = {profile_key: key_value} - profile_types.setdefault( - payload_type, []).append(payload_settings) + profile_types.setdefault(payload_type, []).append( + payload_settings + ) if len(profile_errors) > 0: - print("There are errors in the following files, please correct the .yaml file(s)!") + print( + "There are errors in the following files, please correct the .yaml file(s)!" + ) for error in profile_errors: print(error) # process the payloads from the yaml file and generate new config profile for each type for payload, settings in profile_types.items(): if payload.startswith("."): unsigned_mobileconfig_file_path = os.path.join( - unsigned_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig') + unsigned_mobileconfig_output_path, + "com.apple" + payload + ".mobileconfig", + ) settings_plist_file_path = os.path.join( - settings_plist_output_path, "com.apple" + payload + '.plist') + settings_plist_output_path, "com.apple" + payload + ".plist" + ) if signing: signed_mobileconfig_file_path = os.path.join( - signed_mobileconfig_output_path, "com.apple" + payload + '.mobileconfig') + signed_mobileconfig_output_path, + "com.apple" + payload + ".mobileconfig", + ) else: unsigned_mobileconfig_file_path = os.path.join( - unsigned_mobileconfig_output_path, payload + '.mobileconfig') + unsigned_mobileconfig_output_path, payload + ".mobileconfig" + ) settings_plist_file_path = os.path.join( - settings_plist_output_path, payload + '.plist') + settings_plist_output_path, payload + ".plist" + ) if signing: signed_mobileconfig_file_path = os.path.join( - signed_mobileconfig_output_path, payload + '.mobileconfig') + signed_mobileconfig_output_path, payload + ".mobileconfig" + ) identifier = payload + f".{baseline_name}" description = "Configuration settings for the {} preference domain.".format( - payload) - - newProfile = PayloadDict(identifier=identifier, - uuid=False, - removal_allowed=False, - organization=organization, - displayname=displayname, - description=description) + payload + ) - + newProfile = PayloadDict( + identifier=identifier, + uuid=False, + removal_allowed=False, + organization=organization, + displayname=displayname, + description=description, + ) if payload == "com.apple.ManagedClient.preferences": for item in settings: newProfile.addMCXPayload(item, baseline_name) # handle these payloads for array settings - elif (payload == "com.apple.applicationaccess.new") or (payload == 'com.apple.systempreferences'): + elif (payload == "com.apple.applicationaccess.new") or ( + payload == "com.apple.systempreferences" + ): newProfile.addNewPayload( - payload, concatenate_payload_settings(settings), baseline_name) + payload, concatenate_payload_settings(settings), baseline_name + ) else: newProfile.addNewPayload(payload, settings, baseline_name) if signing: - unsigned_file_path=os.path.join(unsigned_mobileconfig_file_path) + unsigned_file_path = os.path.join(unsigned_mobileconfig_file_path) unsigned_config_file = open(unsigned_file_path, "wb") newProfile.finalizeAndSave(unsigned_config_file) settings_config_file = open(settings_plist_file_path, "wb") @@ -513,63 +582,63 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign newProfile.finalizeAndSave(config_file) newProfile.finalizeAndSavePlist(settings_config_file) config_file.close() - - print(f""" + + print( + f""" CAUTION: These configuration profiles are intended for evaluation in a TEST - environment. Certain configuration profiles (Smartcards), when applied could - leave a system in a state where a user can no longer login with a password. + environment. Certain configuration profiles (Smartcards), when applied could + leave a system in a state where a user can no longer login with a password. Please use caution when applying configuration settings to a system. - + NOTE: If an MDM is already being leveraged, many of these profile settings may be available through the vendor. - """) + """ + ) + def default_audit_plist(baseline_name, build_path, baseline_yaml): - """"Generate the default audit plist file to define exemptions - """ - + """ "Generate the default audit plist file to define exemptions""" + # Output folder - plist_output_path = os.path.join( - f'{build_path}', 'preferences') + plist_output_path = os.path.join(f"{build_path}", "preferences") if not (os.path.isdir(plist_output_path)): try: os.makedirs(plist_output_path) except OSError: - print("Creation of the directory %s failed" % - plist_output_path) + print("Creation of the directory %s failed" % plist_output_path) plist_file_path = os.path.join( - plist_output_path, 'org.' + baseline_name + '.audit.plist') + plist_output_path, "org." + baseline_name + ".audit.plist" + ) plist_file = open(plist_file_path, "wb") plist_dict = {} - for sections in baseline_yaml['profile']: - for profile_rule in sections['rules']: + for sections in baseline_yaml["profile"]: + for profile_rule in sections["rules"]: if profile_rule.startswith("supplemental"): continue - plist_dict[profile_rule] = { "exempt": False } - + plist_dict[profile_rule] = {"exempt": False} + plistlib.dump(plist_dict, plist_file) def generate_script(baseline_name, build_path, baseline_yaml, reference): - """Generates the zsh script from the rules in the baseline YAML - """ + """Generates the zsh script from the rules in the baseline YAML""" compliance_script_file = open( - build_path + '/' + baseline_name + '_compliance.sh', 'w') + build_path + "/" + baseline_name + "_compliance.sh", "w" + ) check_function_string = "" fix_function_string = "" - # create header of fix zsh script check_zsh_header = f"""#!/bin/zsh ## This script will attempt to audit all of the settings based on the installed profile. -## This script is provided as-is and should be fully tested on a system that is not in a production environment. +## This script is provided as-is and should be fully tested on a system that is not in a production environment. ################### Variables ################### @@ -642,7 +711,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # Ask the question - use /dev/tty in case stdin is redirected from somewhere else printf "${{YELLOW}} $1 [$prompt] ${{STD}}" read REPLY - + # Default? if [ -z "$REPLY" ]; then REPLY=$default @@ -660,7 +729,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # function to display menus show_menus() {{ clear - echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo " M A I N - M E N U" echo " macOS Security Compliance Tool" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" @@ -690,7 +759,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): non_compliant=0 results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist) - + while IFS= read -r line; do if [[ "$line" =~ "finding = false" ]]; then compliant=$((compliant+1)) @@ -699,8 +768,8 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): non_compliant=$((non_compliant+1)) fi done <<< "$results" - - # Enable output of just the compliant or non-compliant numbers. + + # Enable output of just the compliant or non-compliant numbers. if [[ $1 = "compliant" ]] then echo $compliant @@ -718,7 +787,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): count=($(compliance_count)) compliant=${{count[1]}} non_compliant=${{count[2]}} - + total=$((non_compliant + compliant)) percentage=$(printf %.2f $(( compliant * 100. / total )) ) echo @@ -729,7 +798,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): }} view_report(){{ - + if [[ $lastComplianceScan == "No scans have been run" ]];then echo "no report to run, please run new scan" pause @@ -743,7 +812,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): count=($(compliance_count)) compliant=${{count[1]}} non_compliant=${{count[2]}} - + total=$((non_compliant + compliant)) percentage=$(printf %.2f $(( compliant * 100. / total )) ) echo "PASSED: $compliant FAILED: $non_compliant, $percentage percent compliant!" @@ -767,68 +836,82 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): """ # Read all rules in the section and output the check functions - for sections in baseline_yaml['profile']: - for profile_rule in sections['rules']: + for sections in baseline_yaml["profile"]: + for profile_rule in sections["rules"]: logging.debug(f"checking for rule file for {profile_rule}") - if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] - custom=True + if glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + ): + rule = glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + )[0] + custom = True logging.debug(f"{rule}") - elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] - custom=False + elif glob.glob("../rules/*/{}.yaml".format(profile_rule)): + rule = glob.glob("../rules/*/{}.yaml".format(profile_rule))[0] + custom = False logging.debug(f"{rule}") rule_yaml = get_rule_yaml(rule, custom) - if rule_yaml['id'].startswith("supplemental"): + if rule_yaml["id"].startswith("supplemental"): continue - if "manual" in rule_yaml['tags']: + if "manual" in rule_yaml["tags"]: continue - if "arm64" in rule_yaml['tags']: - arch="arm64" - elif "intel" in rule_yaml['tags']: - arch="i386" + if "arm64" in rule_yaml["tags"]: + arch = "arm64" + elif "intel" in rule_yaml["tags"]: + arch = "i386" else: - arch="" - + arch = "" + # grab the 800-53 controls try: - rule_yaml['references']['800-53r5'] + rule_yaml["references"]["800-53r5"] except KeyError: - nist_80053r5 = 'N/A' + nist_80053r5 = "N/A" else: - nist_80053r5 = rule_yaml['references']['800-53r5'] - + nist_80053r5 = rule_yaml["references"]["800-53r5"] + if reference == "default": - log_reference_id = [rule_yaml['id']] + log_reference_id = [rule_yaml["id"]] else: - try: - rule_yaml['references'][reference] + try: + rule_yaml["references"][reference] except KeyError: - try: - rule_yaml['references']['custom'][reference] + try: + rule_yaml["references"]["custom"][reference] except KeyError: - log_reference_id = [rule_yaml['id']] + log_reference_id = [rule_yaml["id"]] else: - if isinstance(rule_yaml['references']['custom'][reference], list): - log_reference_id = rule_yaml['references']['custom'][reference] + [rule_yaml['id']] + if isinstance( + rule_yaml["references"]["custom"][reference], list + ): + log_reference_id = rule_yaml["references"]["custom"][ + reference + ] + [rule_yaml["id"]] else: - log_reference_id = [rule_yaml['references']['custom'][reference]] + [rule_yaml['id']] + log_reference_id = [ + rule_yaml["references"]["custom"][reference] + ] + [rule_yaml["id"]] else: - if isinstance(rule_yaml['references'][reference], list): - log_reference_id = rule_yaml['references'][reference] + [rule_yaml['id']] + if isinstance(rule_yaml["references"][reference], list): + log_reference_id = rule_yaml["references"][reference] + [ + rule_yaml["id"] + ] else: - log_reference_id = [rule_yaml['references'][reference]] + [rule_yaml['id']] - - - # group the controls + log_reference_id = [rule_yaml["references"][reference]] + [ + rule_yaml["id"] + ] + + # group the controls if not nist_80053r5 == "N/A": nist_80053r5.sort() - res = [list(i) for j, i in groupby( - nist_80053r5, lambda a: a.split('(')[0])] - nist_controls = '' + res = [ + list(i) for j, i in groupby(nist_80053r5, lambda a: a.split("(")[0]) + ] + nist_controls = "" for i in res: nist_controls += group_ulify(i) else: @@ -836,22 +919,22 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # print checks and result try: - check = rule_yaml['check'] + check = rule_yaml["check"] except KeyError: - print("no check found for {}".format(rule_yaml['id'])) + print("no check found for {}".format(rule_yaml["id"])) continue try: - result = rule_yaml['result'] + result = rule_yaml["result"] except KeyError: - #print("no result found for {}".format(rule_yaml['id'])) + # print("no result found for {}".format(rule_yaml['id'])) continue if "integer" in result: - result_value = result['integer'] + result_value = result["integer"] elif "boolean" in result: - result_value = str(result['boolean']).lower() + result_value = str(result["boolean"]).lower() elif "string" in result: - result_value = result['string'] + result_value = result["string"] else: continue @@ -874,7 +957,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null) - + if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then if [[ $result_value == "{4}" ]]; then echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log" @@ -892,22 +975,30 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log" defaults write "$audit_plist" {0} -dict-add finding -bool NO fi - """.format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), str(result).lower(), result_value, ' '.join(log_reference_id), arch) + """.format( + rule_yaml["id"], + nist_controls.replace("\n", "\n#"), + check.strip(), + str(result).lower(), + result_value, + " ".join(log_reference_id), + arch, + ) check_function_string = check_function_string + zsh_check_text # print fix and result try: - rule_yaml['fix'] + rule_yaml["fix"] except KeyError: - fix_text = 'N/A' + fix_text = "N/A" else: - fix_text = rule_yaml['fix'] or ["n/a"] + fix_text = rule_yaml["fix"] or ["n/a"] -# write the fixes + # write the fixes if "[source,bash]" in fix_text: - nist_controls_commented = nist_controls.replace('\n', '\n#') + nist_controls_commented = nist_controls.replace("\n", "\n#") zsh_fix_text = f""" #####----- Rule: {rule_yaml['id']} -----##### ## Addresses the following NIST 800-53 controls: {nist_controls_commented} @@ -956,7 +1047,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): pause show_menus read_options - else + else exit 1 fi fi @@ -973,7 +1064,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # append to existing logfile echo "$(date -u) Beginning remediation of non-compliant settings" >> "$audit_log" -# run mcxrefresh +# run mcxrefresh /usr/bin/mcxrefresh -u $CURR_USER_UID @@ -995,13 +1086,13 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): if [[ $check ]];then run_scan -elif [[ $fix ]];then +elif [[ $fix ]];then run_fix -elif [[ $stats ]];then +elif [[ $stats ]];then generate_stats -elif [[ $compliant ]];then +elif [[ $compliant ]];then compliance_count "compliant" -elif [[ $non_compliant ]];then +elif [[ $non_compliant ]];then compliance_count "non-compliant" else while true; do @@ -1011,7 +1102,7 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): fi """ - #write out the compliance script + # write out the compliance script compliance_script_file.write(check_zsh_header) compliance_script_file.write(check_function_string) compliance_script_file.write(zsh_check_footer) @@ -1023,14 +1114,17 @@ def generate_script(baseline_name, build_path, baseline_yaml, reference): # make the compliance script executable os.chmod(compliance_script_file.name, 0o755) - #fix_script_file.close() + # fix_script_file.close() compliance_script_file.close() + def get_rule_yaml(rule_file, custom=False): - """ Takes a rule file, checks for a custom version, and returns the yaml for the rule - """ + """Takes a rule file, checks for a custom version, and returns the yaml for the rule""" resulting_yaml = {} - names = [os.path.basename(x) for x in glob.glob('../custom/rules/**/*.yaml', recursive=True)] + names = [ + os.path.basename(x) + for x in glob.glob("../custom/rules/**/*.yaml", recursive=True) + ] file_name = os.path.basename(rule_file) # if file_name in names: # print(f"Custom settings found for rule: {rule_file}") @@ -1048,66 +1142,87 @@ def get_rule_yaml(rule_file, custom=False): if custom: print(f"Custom settings found for rule: {rule_file}") try: - override_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] + override_path = glob.glob( + "../custom/rules/**/{}".format(file_name), recursive=True + )[0] except IndexError: - override_path = glob.glob('../custom/rules/{}'.format(file_name), recursive=True)[0] + override_path = glob.glob( + "../custom/rules/{}".format(file_name), recursive=True + )[0] with open(override_path) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - + try: - og_rule_path = glob.glob('../rules/**/{}'.format(file_name), recursive=True)[0] + og_rule_path = glob.glob("../rules/**/{}".format(file_name), recursive=True)[0] except IndexError: - #assume this is a completely new rule - og_rule_path = glob.glob('../custom/rules/**/{}'.format(file_name), recursive=True)[0] - resulting_yaml['customized'] = ["customized rule"] - + # assume this is a completely new rule + og_rule_path = glob.glob( + "../custom/rules/**/{}".format(file_name), recursive=True + )[0] + resulting_yaml["customized"] = ["customized rule"] + # get original/default rule yaml for comparison with open(og_rule_path) as og: og_rule_yaml = yaml.load(og, Loader=yaml.SafeLoader) for yaml_field in og_rule_yaml: - #print('processing field {} for rule {}'.format(yaml_field, file_name)) + # print('processing field {} for rule {}'.format(yaml_field, file_name)) if yaml_field == "references": - if not 'references' in resulting_yaml: - resulting_yaml['references'] = {} - for ref in og_rule_yaml['references']: + if not "references" in resulting_yaml: + resulting_yaml["references"] = {} + for ref in og_rule_yaml["references"]: try: - if og_rule_yaml['references'][ref] == rule_yaml['references'][ref]: - resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] + if og_rule_yaml["references"][ref] == rule_yaml["references"][ref]: + resulting_yaml["references"][ref] = og_rule_yaml["references"][ + ref + ] else: - resulting_yaml['references'][ref] = rule_yaml['references'][ref] + resulting_yaml["references"][ref] = rule_yaml["references"][ref] except KeyError: # reference not found in original rule yaml, trying to use reference from custom rule try: - resulting_yaml['references'][ref] = rule_yaml['references'][ref] + resulting_yaml["references"][ref] = rule_yaml["references"][ref] except KeyError: - resulting_yaml['references'][ref] = og_rule_yaml['references'][ref] - try: - if "custom" in rule_yaml['references']: - resulting_yaml['references']['custom'] = rule_yaml['references']['custom'] - if 'customized' in resulting_yaml: - if 'customized references' not in resulting_yaml['customized']: - resulting_yaml['customized'].append("customized references") + resulting_yaml["references"][ref] = og_rule_yaml["references"][ + ref + ] + try: + if "custom" in rule_yaml["references"]: + resulting_yaml["references"]["custom"] = rule_yaml[ + "references" + ]["custom"] + if "customized" in resulting_yaml: + if ( + "customized references" + not in resulting_yaml["customized"] + ): + resulting_yaml["customized"].append( + "customized references" + ) else: - resulting_yaml['customized'] = ["customized references"] + resulting_yaml["customized"] = ["customized references"] except: pass - - else: + + else: try: if og_rule_yaml[yaml_field] == rule_yaml[yaml_field]: - #print("using default data in yaml field {}".format(yaml_field)) + # print("using default data in yaml field {}".format(yaml_field)) resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] else: - #print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) + # print('using CUSTOM value for yaml field {} in rule {}'.format(yaml_field, file_name)) resulting_yaml[yaml_field] = rule_yaml[yaml_field] - if 'customized' in resulting_yaml: - resulting_yaml['customized'].append("customized {}".format(yaml_field)) + if "customized" in resulting_yaml: + resulting_yaml["customized"].append( + "customized {}".format(yaml_field) + ) else: - resulting_yaml['customized'] = ["customized {}".format(yaml_field)] + resulting_yaml["customized"] = [ + "customized {}".format(yaml_field) + ] except KeyError: resulting_yaml[yaml_field] = og_rule_yaml[yaml_field] @@ -1115,8 +1230,7 @@ def get_rule_yaml(rule_file, custom=False): def generate_xls(baseline_name, build_path, baseline_yaml): - """Using the baseline yaml file, create an XLS document containing the YAML fields - """ + """Using the baseline yaml file, create an XLS document containing the YAML fields""" baseline_rules = create_rules(baseline_yaml) @@ -1127,10 +1241,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml): # Output files xls_output_file = f"{build_path}/{baseline_name}.xls" - wb = Workbook() - sheet1 = wb.add_sheet('Sheet 1', cell_overwrite_ok=True) + sheet1 = wb.add_sheet("Sheet 1", cell_overwrite_ok=True) topWrap = xlwt.easyxf("align: vert top; alignment: wrap True") top = xlwt.easyxf("align: vert top") headers = xlwt.easyxf("font: bold on") @@ -1150,18 +1263,17 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.write(0, 10, "SRG", headers) sheet1.write(0, 11, "DISA STIG", headers) sheet1.write(0, 12, "CIS Benchmark", headers) - sheet1.write(0, 13, "CIS v8", headers) + sheet1.write(0, 13, "CIS v8", headers) sheet1.write(0, 14, "CCI", headers) sheet1.write(0, 15, "Modifed Rule", headers) sheet1.set_panes_frozen(True) sheet1.set_horz_split_pos(1) sheet1.set_vert_split_pos(2) - for rule in baseline_rules: if rule.rule_id.startswith("supplemental") or rule.rule_id.startswith("srg"): continue - + sheet1.write(counter, 0, rule.rule_cce, top) sheet1.col(0).width = 256 * 15 sheet1.write(counter, 1, rule.rule_id, top) @@ -1180,7 +1292,9 @@ def generate_xls(baseline_name, build_path, baseline_yaml): if "permanent" in rule.rule_tags: mechanism = "The control is not able to be configure to meet the requirement. It is recommended to implement a third-party solution to meet the control." if "not_applicable" in rule.rule_tags: - mechanism = " The control is not applicable when configuring a macOS system." + mechanism = ( + " The control is not applicable when configuring a macOS system." + ) sheet1.write(counter, 4, mechanism, top) sheet1.col(4).width = 256 * 25 @@ -1192,9 +1306,13 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.col(6).width = 256 * 25 if rule.rule_mobileconfig: - sheet1.write(counter, 7, format_mobileconfig_fix( - rule.rule_mobileconfig_info), topWrap) - #print(format_mobileconfig_fix(rule.rule_mobileconfig_info)) + sheet1.write( + counter, + 7, + format_mobileconfig_fix(rule.rule_mobileconfig_info), + topWrap, + ) + # print(format_mobileconfig_fix(rule.rule_mobileconfig_info)) # sheet1.write(counter, 7, str( # configProfile(rule_file)), topWrap) @@ -1203,69 +1321,66 @@ def generate_xls(baseline_name, build_path, baseline_yaml): sheet1.col(7).width = 1000 * 50 - baseline_refs = ( - str(rule.rule_80053r5)).strip('[]\'') - baseline_refs = baseline_refs.replace(", ", "\n").replace("\'", "") + baseline_refs = (str(rule.rule_80053r5)).strip("[]'") + baseline_refs = baseline_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 8, baseline_refs, topWrap) sheet1.col(8).width = 256 * 15 - nist171_refs = ( - str(rule.rule_800171)).strip('[]\'') - nist171_refs = nist171_refs.replace(", ", "\n").replace("\'", "") + nist171_refs = (str(rule.rule_800171)).strip("[]'") + nist171_refs = nist171_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 9, nist171_refs, topWrap) sheet1.col(9).width = 256 * 15 - srg_refs = (str(rule.rule_srg)).strip('[]\'') - srg_refs = srg_refs.replace(", ", "\n").replace("\'", "") + srg_refs = (str(rule.rule_srg)).strip("[]'") + srg_refs = srg_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 10, srg_refs, topWrap) sheet1.col(10).width = 500 * 15 - disa_refs = (str(rule.rule_disa_stig)).strip('[]\'') - disa_refs = disa_refs.replace(", ", "\n").replace("\'", "") + disa_refs = (str(rule.rule_disa_stig)).strip("[]'") + disa_refs = disa_refs.replace(", ", "\n").replace("'", "") sheet1.write(counter, 11, disa_refs, topWrap) sheet1.col(11).width = 500 * 15 cis = "" - if rule.rule_cis != ['None']: + if rule.rule_cis != ["None"]: for title, ref in rule.rule_cis.items(): if title.lower() == "benchmark": sheet1.write(counter, 12, ref, topWrap) sheet1.col(12).width = 500 * 15 if title.lower() == "controls v8": - cis = (str(ref).strip('[]\'')) + cis = str(ref).strip("[]'") cis = cis.replace(", ", "\n") sheet1.write(counter, 13, cis, topWrap) sheet1.col(13).width = 500 * 15 - cci = (str(rule.rule_cci)).strip('[]\'') - cci = cci.replace(", ", "\n").replace("\'", "") + cci = (str(rule.rule_cci)).strip("[]'") + cci = cci.replace(", ", "\n").replace("'", "") sheet1.write(counter, 14, cci, topWrap) sheet1.col(13).width = 400 * 15 - customized = (str(rule.rule_customized)).strip('[]\'') - customized = customized.replace(", ", "\n").replace("\'", "") + customized = (str(rule.rule_customized)).strip("[]'") + customized = customized.replace(", ", "\n").replace("'", "") sheet1.write(counter, 15, customized, topWrap) sheet1.col(14).width = 400 * 15 - if rule.rule_custom_refs != ['None']: + if rule.rule_custom_refs != ["None"]: for title, ref in rule.rule_custom_refs.items(): if title not in custom_ref_column: custom_ref_column[title] = column_counter column_counter = column_counter + 1 - sheet1.write(0, custom_ref_column[title], title, headers) + sheet1.write(0, custom_ref_column[title], title, headers) sheet1.col(custom_ref_column[title]).width = 512 * 25 - added_ref = (str(ref)).strip('[]\'') - added_ref = added_ref.replace(", ", "\n").replace("\'", "") + added_ref = (str(ref)).strip("[]'") + added_ref = added_ref.replace(", ", "\n").replace("'", "") sheet1.write(counter, custom_ref_column[title], added_ref, topWrap) - - tall_style = xlwt.easyxf('font:height 640;') # 36pt + tall_style = xlwt.easyxf("font:height 640;") # 36pt sheet1.row(counter).set_style(tall_style) counter = counter + 1 @@ -1273,157 +1388,203 @@ def generate_xls(baseline_name, build_path, baseline_yaml): wb.save(xls_output_file) print(f"Finished building {xls_output_file}") + def create_rules(baseline_yaml): - """Takes a baseline yaml file and parses the rules, returns a list of containing rules - """ + """Takes a baseline yaml file and parses the rules, returns a list of containing rules""" all_rules = [] - #expected keys and references - keys = ['mobileconfig', - 'macOS', - 'severity', - 'title', - 'check', - 'fix', - 'tags', - 'id', - 'references', - 'result', - 'discussion', - 'customized'] - references = ['disa_stig', - 'cci', - 'cce', - '800-53r5', - '800-171r2', - 'cis', - 'srg', - 'custom'] - - - for sections in baseline_yaml['profile']: - for profile_rule in sections['rules']: - if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): - rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0] - custom=True - elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0] - custom=False - - #for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): + # expected keys and references + keys = [ + "mobileconfig", + "macOS", + "severity", + "title", + "check", + "fix", + "tags", + "id", + "references", + "result", + "discussion", + "customized", + ] + references = [ + "disa_stig", + "cci", + "cce", + "800-53r5", + "800-171r2", + "cis", + "srg", + "custom", + ] + + for sections in baseline_yaml["profile"]: + for profile_rule in sections["rules"]: + if glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + ): + rule = glob.glob( + "../custom/rules/**/{}.yaml".format(profile_rule), recursive=True + )[0] + custom = True + elif glob.glob("../rules/*/{}.yaml".format(profile_rule)): + rule = glob.glob("../rules/*/{}.yaml".format(profile_rule))[0] + custom = False + + # for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True): rule_yaml = get_rule_yaml(rule, custom) for key in keys: try: rule_yaml[key] except: - #print("{} key missing ..for {}".format(key, rule)) + # print("{} key missing ..for {}".format(key, rule)) rule_yaml.update({key: ""}) if key == "references": for reference in references: try: rule_yaml[key][reference] - #print("FOUND reference {} for key {} for rule {}".format(reference, key, rule)) + # print("FOUND reference {} for key {} for rule {}".format(reference, key, rule)) except: - #print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) + # print("expected reference '{}' is missing in key '{}' for rule{}".format(reference, key, rule)) rule_yaml[key].update({reference: ["None"]}) - all_rules.append(MacSecurityRule(rule_yaml['title'].replace('|', '\|'), - rule_yaml['id'].replace('|', '\|'), - rule_yaml['severity'].replace('|', '\|'), - rule_yaml['discussion'].replace('|', '\|'), - rule_yaml['check'].replace('|', '\|'), - rule_yaml['fix'].replace('|', '\|'), - rule_yaml['references']['cci'], - rule_yaml['references']['cce'], - rule_yaml['references']['800-53r5'], - rule_yaml['references']['800-171r2'], - rule_yaml['references']['disa_stig'], - rule_yaml['references']['srg'], - rule_yaml['references']['cis'], - rule_yaml['references']['custom'], - rule_yaml['tags'], - rule_yaml['result'], - rule_yaml['mobileconfig'], - rule_yaml['mobileconfig_info'], - rule_yaml['customized'] - )) + all_rules.append( + MacSecurityRule( + rule_yaml["title"].replace("|", "\|"), + rule_yaml["id"].replace("|", "\|"), + rule_yaml["severity"].replace("|", "\|"), + rule_yaml["discussion"].replace("|", "\|"), + rule_yaml["check"].replace("|", "\|"), + rule_yaml["fix"].replace("|", "\|"), + rule_yaml["references"]["cci"], + rule_yaml["references"]["cce"], + rule_yaml["references"]["800-53r5"], + rule_yaml["references"]["800-171r2"], + rule_yaml["references"]["disa_stig"], + rule_yaml["references"]["srg"], + rule_yaml["references"]["cis"], + rule_yaml["references"]["custom"], + rule_yaml["tags"], + rule_yaml["result"], + rule_yaml["mobileconfig"], + rule_yaml["mobileconfig_info"], + rule_yaml["customized"], + ) + ) return all_rules + def create_args(): - """configure the arguments used in the script, returns the parsed arguements - """ + """configure the arguments used in the script, returns the parsed arguements""" parser = argparse.ArgumentParser( - description='Given a baseline, create guidance documents and files.') - parser.add_argument("baseline", default=None, - help="Baseline YAML file used to create the guide.", type=argparse.FileType('rt')) - parser.add_argument("-c", "--clean", default=None, - help=argparse.SUPPRESS, action="store_true") - parser.add_argument("-d", "--debug", default=None, - help=argparse.SUPPRESS, action="store_true") - parser.add_argument("-l", "--logo", default=None, - help="Full path to logo file to be included in the guide.", action="store") - parser.add_argument("-p", "--profiles", default=None, - help="Generate configuration profiles for the rules.", action="store_true") - parser.add_argument("-r", "--reference", default=None, - help="Use the reference ID instead of rule ID for identification.") - parser.add_argument("-s", "--script", default=None, - help="Generate the compliance script for the rules.", action="store_true") + description="Given a baseline, create guidance documents and files." + ) + parser.add_argument( + "baseline", + default=None, + help="Baseline YAML file used to create the guide.", + type=argparse.FileType("rt"), + ) + parser.add_argument( + "-c", "--clean", default=None, help=argparse.SUPPRESS, action="store_true" + ) + parser.add_argument( + "-d", "--debug", default=None, help=argparse.SUPPRESS, action="store_true" + ) + parser.add_argument( + "-l", + "--logo", + default=None, + help="Full path to logo file to be included in the guide.", + action="store", + ) + parser.add_argument( + "-p", + "--profiles", + default=None, + help="Generate configuration profiles for the rules.", + action="store_true", + ) + parser.add_argument( + "-r", + "--reference", + default=None, + help="Use the reference ID instead of rule ID for identification.", + ) + parser.add_argument( + "-s", + "--script", + default=None, + help="Generate the compliance script for the rules.", + action="store_true", + ) # add gary argument to include tags for XCCDF generation, with a nod to Gary the SCAP guru - parser.add_argument("-g", "--gary", default=None, - help=argparse.SUPPRESS, action="store_true") - parser.add_argument("-x", "--xls", default=None, - help="Generate the excel (xls) document for the rules.", action="store_true") - parser.add_argument("-H", "--hash", default=None, - help="sign the configuration profiles with subject key ID (hash value without spaces)") + parser.add_argument( + "-g", "--gary", default=None, help=argparse.SUPPRESS, action="store_true" + ) + parser.add_argument( + "-x", + "--xls", + default=None, + help="Generate the excel (xls) document for the rules.", + action="store_true", + ) + parser.add_argument( + "-H", + "--hash", + default=None, + help="sign the configuration profiles with subject key ID (hash value without spaces)", + ) return parser.parse_args() + def is_asciidoctor_installed(): - """Checks to see if the ruby gem for asciidoctor is installed - """ - #cmd = "gem list asciidoctor -i" + """Checks to see if the ruby gem for asciidoctor is installed""" + # cmd = "gem list asciidoctor -i" cmd = "which asciidoctor" process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) output, error = process.communicate() - + # return path to asciidoctor return output.decode("utf-8").strip() def is_asciidoctor_pdf_installed(): - """Checks to see if the ruby gem for asciidoctor-pdf is installed - """ - #cmd = "gem list asciidoctor-pdf -i" + """Checks to see if the ruby gem for asciidoctor-pdf is installed""" + # cmd = "gem list asciidoctor-pdf -i" cmd = "which asciidoctor-pdf" process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) output, error = process.communicate() return output.decode("utf-8").strip() + def verify_signing_hash(hash): - """Attempts to validate the existence of the certificate provided by the hash - """ + """Attempts to validate the existence of the certificate provided by the hash""" with tempfile.NamedTemporaryFile(mode="w") as in_file: - unsigned_tmp_file_path=in_file.name + unsigned_tmp_file_path = in_file.name in_file.write("temporary file for signing") - + cmd = f"security cms -S -Z {hash} -i {unsigned_tmp_file_path}" - FNULL = open(os.devnull, 'w') + FNULL = open(os.devnull, "w") process = subprocess.Popen(cmd.split(), stdout=FNULL, stderr=FNULL) output, error = process.communicate() if process.returncode == 0: return True else: return False - + + def sign_config_profile(in_file, out_file, hash): - """Signs the configuration profile using the identity associated with the provided hash - """ + """Signs the configuration profile using the identity associated with the provided hash""" cmd = f"security cms -S -Z {hash} -i {in_file} -o {out_file}" process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE) output, error = process.communicate() print(f"Signed Configuration profile written to {out_file}") return output.decode("utf-8") + def parse_custom_references(reference): string = "\n" for item in reference: @@ -1435,6 +1596,7 @@ def parse_custom_references(reference): string += "!" + str(item) + "!* " + str(reference[item]) + "\n" return string + def parse_cis_references(reference): string = "\n" for item in reference: @@ -1450,7 +1612,6 @@ def parse_cis_references(reference): def main(): - args = create_args() if args.debug: logging.basicConfig(level=logging.DEBUG) @@ -1460,7 +1621,7 @@ def main(): try: output_basename = os.path.basename(args.baseline.name) output_filename = os.path.splitext(output_basename)[0] - baseline_name = os.path.splitext(output_basename)[0]#.capitalize() + baseline_name = os.path.splitext(output_basename)[0] # .capitalize() file_dir = os.path.dirname(os.path.abspath(__file__)) parent_dir = os.path.dirname(file_dir) @@ -1475,20 +1636,22 @@ def main(): else: logo = "../../templates/images/mscp_banner.png" - build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') + build_path = os.path.join(parent_dir, "build", f"{baseline_name}") if not (os.path.isdir(build_path)): try: os.makedirs(build_path) except OSError: print(f"Creation of the directory {build_path} failed") - adoc_output_file = open(f"{build_path}/{output_filename}.adoc", 'w') - print('Profile YAML:', args.baseline.name) - print('Output path:', adoc_output_file.name) + adoc_output_file = open(f"{build_path}/{output_filename}.adoc", "w") + print("Profile YAML:", args.baseline.name) + print("Output path:", adoc_output_file.name) if args.hash: signing = True if not verify_signing_hash(args.hash): - sys.exit('Cannot use the provided hash to sign. Please make sure you provide the subject key ID hash from an installed certificate') + sys.exit( + "Cannot use the provided hash to sign. Please make sure you provide the subject key ID hash from an installed certificate" + ) else: signing = False @@ -1497,123 +1660,125 @@ def main(): log_reference = args.reference else: log_reference = "default" - use_custom_reference = False + use_custom_reference = False except IOError as msg: parser.error(str(msg)) - baseline_yaml = yaml.load(args.baseline, Loader=yaml.SafeLoader) version_file = os.path.join(parent_dir, "VERSION.yaml") with open(version_file) as r: version_yaml = yaml.load(r, Loader=yaml.SafeLoader) - adoc_templates = [ "adoc_rule", - "adoc_supplemental", - "adoc_rule_no_setting", - "adoc_rule_custom_refs", - "adoc_section", - "adoc_header", - "adoc_footer", - "adoc_foreword", - "adoc_scope", - "adoc_authors", - "adoc_acronyms", - "adoc_additional_docs" + adoc_templates = [ + "adoc_rule", + "adoc_supplemental", + "adoc_rule_no_setting", + "adoc_rule_custom_refs", + "adoc_section", + "adoc_header", + "adoc_footer", + "adoc_foreword", + "adoc_scope", + "adoc_authors", + "adoc_acronyms", + "adoc_additional_docs", ] adoc_templates_dict = {} for template in adoc_templates: # custom template exists - if template + ".adoc" in glob.glob1('../custom/templates/', '*.adoc'): + if template + ".adoc" in glob.glob1("../custom/templates/", "*.adoc"): print(f"Custom template found for : {template}") adoc_templates_dict[template] = f"../custom/templates/{template}.adoc" else: adoc_templates_dict[template] = f"../templates/{template}.adoc" - + # Setup AsciiDoc templates - with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file: + with open(adoc_templates_dict["adoc_rule"]) as adoc_rule_file: adoc_rule_template = Template(adoc_rule_file.read()) - with open(adoc_templates_dict['adoc_supplemental']) as adoc_supplemental_file: + with open(adoc_templates_dict["adoc_supplemental"]) as adoc_supplemental_file: adoc_supplemental_template = Template(adoc_supplemental_file.read()) - with open(adoc_templates_dict['adoc_rule_no_setting']) as adoc_rule_no_setting_file: + with open(adoc_templates_dict["adoc_rule_no_setting"]) as adoc_rule_no_setting_file: adoc_rule_no_setting_template = Template(adoc_rule_no_setting_file.read()) - - with open(adoc_templates_dict['adoc_rule_custom_refs']) as adoc_rule_custom_refs_file: + + with open( + adoc_templates_dict["adoc_rule_custom_refs"] + ) as adoc_rule_custom_refs_file: adoc_rule_custom_refs_template = Template(adoc_rule_custom_refs_file.read()) - with open(adoc_templates_dict['adoc_section']) as adoc_section_file: + with open(adoc_templates_dict["adoc_section"]) as adoc_section_file: adoc_section_template = Template(adoc_section_file.read()) - with open(adoc_templates_dict['adoc_header']) as adoc_header_file: + with open(adoc_templates_dict["adoc_header"]) as adoc_header_file: adoc_header_template = Template(adoc_header_file.read()) - with open(adoc_templates_dict['adoc_footer']) as adoc_footer_file: + with open(adoc_templates_dict["adoc_footer"]) as adoc_footer_file: adoc_footer_template = Template(adoc_footer_file.read()) - - with open(adoc_templates_dict['adoc_foreword']) as adoc_foreword_file: + + with open(adoc_templates_dict["adoc_foreword"]) as adoc_foreword_file: adoc_foreword_template = adoc_foreword_file.read() + "\n" - with open(adoc_templates_dict['adoc_scope']) as adoc_scope_file: - adoc_scope_template = Template(adoc_scope_file.read() +"\n") - - with open(adoc_templates_dict['adoc_authors']) as adoc_authors_file: + with open(adoc_templates_dict["adoc_scope"]) as adoc_scope_file: + adoc_scope_template = Template(adoc_scope_file.read() + "\n") + + with open(adoc_templates_dict["adoc_authors"]) as adoc_authors_file: adoc_authors_template = Template(adoc_authors_file.read() + "\n") - with open(adoc_templates_dict['adoc_acronyms']) as adoc_acronyms_file: + with open(adoc_templates_dict["adoc_acronyms"]) as adoc_acronyms_file: adoc_acronyms_template = adoc_acronyms_file.read() + "\n" - with open(adoc_templates_dict['adoc_additional_docs']) as adoc_additional_docs_file: + with open(adoc_templates_dict["adoc_additional_docs"]) as adoc_additional_docs_file: adoc_additional_docs_template = adoc_additional_docs_file.read() + "\n" # set tag attribute if args.gary: - adoc_tag_show=":show_tags:" + adoc_tag_show = ":show_tags:" else: - adoc_tag_show=":show_tags!:" + adoc_tag_show = ":show_tags!:" - if "STIG" in baseline_yaml['title'].upper(): - adoc_STIG_show=":show_STIG:" + if "STIG" in baseline_yaml["title"].upper(): + adoc_STIG_show = ":show_STIG:" else: - adoc_STIG_show=":show_STIG!:" + adoc_STIG_show = ":show_STIG!:" - if "CIS" in baseline_yaml['title'].upper(): - adoc_cis_show=":show_cis:" + if "CIS" in baseline_yaml["title"].upper(): + adoc_cis_show = ":show_cis:" else: - adoc_cis_show=":show_cis!:" + adoc_cis_show = ":show_cis!:" - if "800" in baseline_yaml['title']: - adoc_171_show=":show_171:" + if "800" in baseline_yaml["title"]: + adoc_171_show = ":show_171:" else: - adoc_171_show=":show_171!:" + adoc_171_show = ":show_171!:" # Create header header_adoc = adoc_header_template.substitute( - profile_title=baseline_yaml['title'], - description=baseline_yaml['description'], - html_header_title=baseline_yaml['title'], - html_title=baseline_yaml['title'].split(':')[0], - html_subtitle=baseline_yaml['title'].split(':')[1], + profile_title=baseline_yaml["title"], + description=baseline_yaml["description"], + html_header_title=baseline_yaml["title"], + html_title=baseline_yaml["title"].split(":")[0], + html_subtitle=baseline_yaml["title"].split(":")[1], logo=logo, tag_attribute=adoc_tag_show, nist171_attribute=adoc_171_show, stig_attribute=adoc_STIG_show, cis_attribute=adoc_cis_show, - version=version_yaml['version'], - os_version=version_yaml['os'], - release_date=version_yaml['date'] + version=version_yaml["version"], + os_version=version_yaml["os"], + release_date=version_yaml["date"], ) # Create scope scope_adoc = adoc_scope_template.substitute( - scope_description=baseline_yaml['description'] + scope_description=baseline_yaml["description"] ) # Create author authors_adoc = adoc_authors_template.substitute( - authors_list=baseline_yaml['authors'] + authors_list=baseline_yaml["authors"] ) # Output header @@ -1626,177 +1791,181 @@ def main(): adoc_output_file.write(adoc_acronyms_template) adoc_output_file.write(adoc_additional_docs_template) - - # Create sections and rules - for sections in baseline_yaml['profile']: - section_yaml_file = sections['section'].lower() + '.yaml' - #check for custom section - if section_yaml_file in glob.glob1('../custom/sections/', '*.yaml'): - #print(f"Custom settings found for section: {sections['section']}") - override_section = os.path.join( - f'../custom/sections/{section_yaml_file}') + for sections in baseline_yaml["profile"]: + section_yaml_file = sections["section"].lower() + ".yaml" + # check for custom section + if section_yaml_file in glob.glob1("../custom/sections/", "*.yaml"): + # print(f"Custom settings found for section: {sections['section']}") + override_section = os.path.join(f"../custom/sections/{section_yaml_file}") with open(override_section) as r: section_yaml = yaml.load(r, Loader=yaml.SafeLoader) else: - with open(f'../sections/{section_yaml_file}') as s: + with open(f"../sections/{section_yaml_file}") as s: section_yaml = yaml.load(s, Loader=yaml.SafeLoader) # Read section info and output it section_adoc = adoc_section_template.substitute( - section_name=section_yaml['name'], - description=section_yaml['description'] + section_name=section_yaml["name"], description=section_yaml["description"] ) adoc_output_file.write(section_adoc) # Read all rules in the section and output them - for rule in sections['rules']: - logging.debug(f'processing rule id: {rule}') - rule_path = glob.glob('../rules/*/{}.yaml'.format(rule)) + for rule in sections["rules"]: + logging.debug(f"processing rule id: {rule}") + rule_path = glob.glob("../rules/*/{}.yaml".format(rule)) if not rule_path: - print(f"Rule file not found in library, checking in custom folder for rule: {rule}") - rule_path = glob.glob('../custom/rules/**/{}.yaml'.format(rule), recursive=True) + print( + f"Rule file not found in library, checking in custom folder for rule: {rule}" + ) + rule_path = glob.glob( + "../custom/rules/**/{}.yaml".format(rule), recursive=True + ) try: - rule_file = (os.path.basename(rule_path[0])) + rule_file = os.path.basename(rule_path[0]) except IndexError: - logging.debug(f'defined rule {rule} does not have valid yaml file, check that rule ID and filename match.') + logging.debug( + f"defined rule {rule} does not have valid yaml file, check that rule ID and filename match." + ) - #check for custom rule - if glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True): + # check for custom rule + if glob.glob("../custom/rules/**/{}".format(rule_file), recursive=True): print(f"Custom settings found for rule: {rule_file}") - #override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - rule_location = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] - custom=True + # override_rule = glob.glob('../custom/rules/**/{}'.format(rule_file), recursive=True)[0] + rule_location = glob.glob( + "../custom/rules/**/{}".format(rule_file), recursive=True + )[0] + custom = True else: rule_location = rule_path[0] - custom=False - + custom = False + rule_yaml = get_rule_yaml(rule_location, custom) # Determine if the references exist and set accordingly try: - rule_yaml['references']['cci'] + rule_yaml["references"]["cci"] except KeyError: - cci = 'N/A' + cci = "N/A" else: - cci = ulify(rule_yaml['references']['cci']) + cci = ulify(rule_yaml["references"]["cci"]) try: - rule_yaml['references']['cce'] + rule_yaml["references"]["cce"] except KeyError: - cce = '- N/A' + cce = "- N/A" else: - cce = ulify(rule_yaml['references']['cce']) + cce = ulify(rule_yaml["references"]["cce"]) try: - rule_yaml['references']['800-53r5'] + rule_yaml["references"]["800-53r5"] except KeyError: - nist_80053r5 = 'N/A' + nist_80053r5 = "N/A" else: - nist_80053r5 = rule_yaml['references']['800-53r5'] - + nist_80053r5 = rule_yaml["references"]["800-53r5"] + try: - rule_yaml['references']['800-171r2'] + rule_yaml["references"]["800-171r2"] except KeyError: - nist_800171 = '- N/A' + nist_800171 = "- N/A" else: - nist_800171 = ulify(rule_yaml['references']['800-171r2']) + nist_800171 = ulify(rule_yaml["references"]["800-171r2"]) try: - rule_yaml['references']['disa_stig'] + rule_yaml["references"]["disa_stig"] except KeyError: - disa_stig = '- N/A' + disa_stig = "- N/A" else: - disa_stig = ulify(rule_yaml['references']['disa_stig']) + disa_stig = ulify(rule_yaml["references"]["disa_stig"]) try: - rule_yaml['references']['cis'] + rule_yaml["references"]["cis"] except KeyError: - cis = '- N/A' + cis = "- N/A" else: - cis = parse_cis_references(rule_yaml['references']['cis']) + cis = parse_cis_references(rule_yaml["references"]["cis"]) try: - rule_yaml['references']['srg'] + rule_yaml["references"]["srg"] except KeyError: - srg = '- N/A' + srg = "- N/A" else: - srg = ulify(rule_yaml['references']['srg']) + srg = ulify(rule_yaml["references"]["srg"]) try: - rule_yaml['references']['custom'] + rule_yaml["references"]["custom"] except KeyError: - custom_refs = '' + custom_refs = "" else: - custom_refs = parse_custom_references(rule_yaml['references']['custom']) + custom_refs = parse_custom_references(rule_yaml["references"]["custom"]) try: - rule_yaml['fix'] + rule_yaml["fix"] except KeyError: rulefix = "No fix Found" else: - rulefix = rule_yaml['fix'] # .replace('|', '\|') + rulefix = rule_yaml["fix"] # .replace('|', '\|') try: - rule_yaml['tags'] + rule_yaml["tags"] except KeyError: - tags = 'none' + tags = "none" else: - tags = ulify(rule_yaml['tags']) + tags = ulify(rule_yaml["tags"]) try: - result = rule_yaml['result'] + result = rule_yaml["result"] except KeyError: - result = 'N/A' + result = "N/A" if "integer" in result: - result_value = result['integer'] + result_value = result["integer"] result_type = "integer" elif "boolean" in result: - result_value = result['boolean'] + result_value = result["boolean"] result_type = "boolean" elif "string" in result: - result_value = result['string'] + result_value = result["string"] result_type = "string" else: - result_value = 'N/A' + result_value = "N/A" # determine if configprofile try: - rule_yaml['mobileconfig'] + rule_yaml["mobileconfig"] except KeyError: pass else: - if rule_yaml['mobileconfig']: - rulefix = format_mobileconfig_fix( - rule_yaml['mobileconfig_info']) + if rule_yaml["mobileconfig"]: + rulefix = format_mobileconfig_fix(rule_yaml["mobileconfig_info"]) # process nist controls for grouping if not nist_80053r5 == "N/A": nist_80053r5.sort() - res = [list(i) for j, i in groupby( - nist_80053r5, lambda a: a.split('(')[0])] - nist_controls = '' + res = [ + list(i) for j, i in groupby(nist_80053r5, lambda a: a.split("(")[0]) + ] + nist_controls = "" for i in res: nist_controls += group_ulify(i) else: nist_controls = "- N/A" - if 'supplemental' in tags: + if "supplemental" in tags: rule_adoc = adoc_supplemental_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'], + rule_title=rule_yaml["title"].replace("|", "\|"), + rule_id=rule_yaml["id"].replace("|", "\|"), + rule_discussion=rule_yaml["discussion"], ) - elif ('permanent' in tags) or ('inherent' in tags) or ('n_a' in tags): + elif ("permanent" in tags) or ("inherent" in tags) or ("n_a" in tags): rule_adoc = adoc_rule_no_setting_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), - rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_title=rule_yaml["title"].replace("|", "\|"), + rule_id=rule_yaml["id"].replace("|", "\|"), + rule_discussion=rule_yaml["discussion"].replace("|", "\|"), + rule_check=rule_yaml["check"], # .replace('|', '\|'), rule_fix=rulefix, rule_80053r5=nist_controls, rule_800171=nist_800171, @@ -1804,14 +1973,14 @@ def main(): rule_cis=cis, rule_cce=cce, rule_tags=tags, - rule_srg=srg + rule_srg=srg, ) elif custom_refs: rule_adoc = adoc_rule_custom_refs_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'],#.replace('|', '\|'), - rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_title=rule_yaml["title"].replace("|", "\|"), + rule_id=rule_yaml["id"].replace("|", "\|"), + rule_discussion=rule_yaml["discussion"], # .replace('|', '\|'), + rule_check=rule_yaml["check"], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, rule_80053r5=nist_controls, @@ -1822,14 +1991,14 @@ def main(): rule_custom_refs=custom_refs, rule_tags=tags, rule_srg=srg, - rule_result=result_value + rule_result=result_value, ) else: rule_adoc = adoc_rule_template.substitute( - rule_title=rule_yaml['title'].replace('|', '\|'), - rule_id=rule_yaml['id'].replace('|', '\|'), - rule_discussion=rule_yaml['discussion'].replace('|', '\|'), - rule_check=rule_yaml['check'], # .replace('|', '\|'), + rule_title=rule_yaml["title"].replace("|", "\|"), + rule_id=rule_yaml["id"].replace("|", "\|"), + rule_discussion=rule_yaml["discussion"].replace("|", "\|"), + rule_check=rule_yaml["check"], # .replace('|', '\|'), rule_fix=rulefix, rule_cci=cci, rule_80053r5=nist_controls, @@ -1839,56 +2008,62 @@ def main(): rule_cce=cce, rule_tags=tags, rule_srg=srg, - rule_result=result_value + rule_result=result_value, ) adoc_output_file.write(rule_adoc) # Create footer - footer_adoc = adoc_footer_template.substitute( - ) + footer_adoc = adoc_footer_template.substitute() # Output footer adoc_output_file.write(footer_adoc) adoc_output_file.close() - + if args.profiles: print("Generating configuration profiles...") - generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash) - + generate_profiles( + baseline_name, build_path, parent_dir, baseline_yaml, signing, args.hash + ) + if args.script: print("Generating compliance script...") generate_script(baseline_name, build_path, baseline_yaml, log_reference) default_audit_plist(baseline_name, build_path, baseline_yaml) - + if args.xls: - print('Generating excel document...') + print("Generating excel document...") generate_xls(baseline_name, build_path, baseline_yaml) asciidoctor_path = is_asciidoctor_installed() if asciidoctor_path != "": - print('Generating HTML file from AsciiDoc...') - cmd = f"{asciidoctor_path} \'{adoc_output_file.name}\'" + print("Generating HTML file from AsciiDoc...") + cmd = f"{asciidoctor_path} '{adoc_output_file.name}'" process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) process.communicate() else: - print("If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor") - + print( + "If you would like to generate the HTML file from the AsciiDoc file, install the ruby gem for asciidoctor" + ) + asciidoctorPDF_path = is_asciidoctor_pdf_installed() # Don't create PDF if we are generating SCAP if not args.gary: asciidoctorPDF_path = is_asciidoctor_pdf_installed() if asciidoctorPDF_path != "": - print('Generating PDF file from AsciiDoc...') - cmd = f"{asciidoctorPDF_path} \'{adoc_output_file.name}\'" + print("Generating PDF file from AsciiDoc...") + cmd = f"{asciidoctorPDF_path} '{adoc_output_file.name}'" process = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) process.communicate() else: - print("If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf") + print( + "If you would like to generate the PDF file from the AsciiDoc file, install the ruby gem for asciidoctor-pdf" + ) # finally revert back to the prior directory os.chdir(original_working_directory) + if __name__ == "__main__": main() diff --git a/scripts/generate_mapping.py b/scripts/generate_mapping.py index 19ce56c..48203a6 100755 --- a/scripts/generate_mapping.py +++ b/scripts/generate_mapping.py @@ -1,31 +1,34 @@ #!/usr/bin/env python3 -import sys +import argparse import csv -import os -import io import glob -import yaml +import io +import os import re -import argparse +import sys from pathlib import Path -def sort_nicely( l ): -# """ Sort the given list in the way that humans expect. -# """ +import yaml + + +def sort_nicely(l): + # """ Sort the given list in the way that humans expect. + # """ convert = lambda text: int(text) if text.isdigit() else text - alphanum_key = lambda key: [ convert(c) for c in re.split('([0-9]+)', key) ] - l.sort( key=alphanum_key ) + alphanum_key = lambda key: [convert(c) for c in re.split("([0-9]+)", key)] + l.sort(key=alphanum_key) def main(): file_dir = os.path.dirname(os.path.abspath(__file__)) - - os.chdir(file_dir) + + os.chdir(file_dir) nist_header = "" other_header = "" sub_directory = "" + def dir_path(string): if os.path.isdir(string): return string @@ -34,176 +37,248 @@ def dir_path(string): home = str(Path.home()) - parser = argparse.ArgumentParser(description='Easily generate custom rules from compliance framework mappings') - parser.add_argument("CSV", default=None, help="CSV to create custom rule files from a mapping.", type=argparse.FileType('rt')) - parser.add_argument("-f", "--framework", default="800-53r5", help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", action="store") - + parser = argparse.ArgumentParser( + description="Easily generate custom rules from compliance framework mappings" + ) + parser.add_argument( + "CSV", + default=None, + help="CSV to create custom rule files from a mapping.", + type=argparse.FileType("rt"), + ) + parser.add_argument( + "-f", + "--framework", + default="800-53r5", + help="Specify framework for the source. If no framework is specified, the default is 800-53r5.", + action="store", + ) + try: results = parser.parse_args() print("Mapping CSV: " + results.CSV.name) print("Source compliance framework: " + str(results.framework)) - except IOError as msg: - parser.error(str(msg)) - - for rule in glob.glob('../rules/*/*.yaml'): + + for rule in glob.glob("../rules/*/*.yaml"): sub_directory = rule.split(".yaml")[0].split("/")[2] - + if "supplemental" in rule or "srg" in rule: continue - + with open(rule) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - - + control_array = [] - with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: - csv_reader = csv.DictReader(csvfile,dialect='excel') + with open(results.CSV.name, newline="", encoding="utf-8-sig") as csvfile: + csv_reader = csv.DictReader(csvfile, dialect="excel") modded_reader = csv_reader dict_from_csv = dict(list(modded_reader)[0]) - list_of_column_names = list(dict_from_csv.keys()) - nist_header = list_of_column_names[1] other_header = list_of_column_names[0] - - - - with open(results.CSV.name, newline='',encoding='utf-8-sig') as csvfile: - reader = csv.DictReader(csvfile,dialect='excel') - + with open(results.CSV.name, newline="", encoding="utf-8-sig") as csvfile: + reader = csv.DictReader(csvfile, dialect="excel") + for row in reader: - if results.framework != nist_header: sys.exit(str(results.framework) + " not found in CSV") if "N/A" in row[nist_header]: continue - controls = row[nist_header].split(',') + controls = row[nist_header].split(",") duplicate = "" csv_duplicate = "" for control in controls: - - try: - rule_yaml['references'] - - if "/" in str(results.framework): - - framework_main = results.framework.split("/")[0] - framework_sub = results.framework.split("/")[1] - - for yaml_control in rule_yaml['references'][framework_main][framework_sub]: - if duplicate == str(yaml_control).split("(")[0]: - continue - if csv_duplicate == str(row[other_header]): - - continue - if control.replace(" ",'') == str(yaml_control): - - duplicate = str(yaml_control).split("(")[0] - csv_duplicate = str(row[other_header]) - - row_array = str(row[other_header]).split(",") - for item in row_array: - control_array.append(item) - print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) - else: - - for yaml_control in rule_yaml['references'][results.framework]: - if duplicate == str(yaml_control).split("(")[0]: - continue - if csv_duplicate == str(row[other_header]): - continue - - if control.replace(" ",'') == str(yaml_control): - duplicate = str(yaml_control).split("(")[0] - csv_duplicate = str(row[other_header]) - row_array = str(row[other_header]).split(",") - for item in row_array: - control_array.append(item) - print(rule_yaml['id'] + " - " + str(results.framework) + " " + str(yaml_control) + " maps to " + other_header + " " + item) - - except: - continue - + try: + rule_yaml["references"] + + if "/" in str(results.framework): + framework_main = results.framework.split("/")[0] + framework_sub = results.framework.split("/")[1] + + for yaml_control in rule_yaml["references"][framework_main][ + framework_sub + ]: + if duplicate == str(yaml_control).split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + continue + if control.replace(" ", "") == str(yaml_control): + duplicate = str(yaml_control).split("(")[0] + csv_duplicate = str(row[other_header]) + + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print( + rule_yaml["id"] + + " - " + + str(results.framework) + + " " + + str(yaml_control) + + " maps to " + + other_header + + " " + + item + ) + else: + for yaml_control in rule_yaml["references"][ + results.framework + ]: + if duplicate == str(yaml_control).split("(")[0]: + continue + if csv_duplicate == str(row[other_header]): + continue + + if control.replace(" ", "") == str(yaml_control): + duplicate = str(yaml_control).split("(")[0] + csv_duplicate = str(row[other_header]) + row_array = str(row[other_header]).split(",") + for item in row_array: + control_array.append(item) + print( + rule_yaml["id"] + + " - " + + str(results.framework) + + " " + + str(yaml_control) + + " maps to " + + other_header + + " " + + item + ) + + except: + continue + if len(control_array) == 0: continue - - custom_rule = '''references: + + custom_rule = """references: custom: - {}:'''.format(other_header) - + {}:""".format( + other_header + ) + for control in control_array: - custom_rule = custom_rule + ''' - - {}'''.format(control) - - custom_rule = custom_rule + ''' + custom_rule = ( + custom_rule + + """ + - {}""".format( + control + ) + ) + + custom_rule = ( + custom_rule + + """ tags: - - {}'''.format(other_header) - + - {}""".format( + other_header + ) + ) + if os.path.isdir("../build/" + other_header) == False: os.mkdir("../build/" + other_header) if os.path.isdir("../build/" + other_header + "/rules/") == False: os.mkdir("../build/" + other_header + "/rules/") - if os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) == False: + if ( + os.path.isdir("../build/" + other_header + "/rules/" + sub_directory) + == False + ): os.mkdir("../build/" + other_header + "/rules/" + sub_directory) - - try: - with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as r: + + try: + with open( + "../build/" + + other_header + + "/rules/" + + sub_directory + + "/" + + rule_yaml["id"] + + ".yaml", + "w", + ) as r: custom_yaml = r.read() custom_yaml = custom_yaml.replace(other_header + ": ", custom_rule) - with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: + with open( + "../build/" + + other_header + + "/rules/" + + sub_directory + + "/" + + rule_yaml["id"] + + ".yaml", + "w", + ) as fw: fw.write(custom_yaml) except: - with open("../build/" + other_header + "/rules/" + sub_directory + "/" + rule_yaml['id'] + ".yaml", 'w') as fw: - fw.write(custom_rule) + with open( + "../build/" + + other_header + + "/rules/" + + sub_directory + + "/" + + rule_yaml["id"] + + ".yaml", + "w", + ) as fw: + fw.write(custom_rule) - for rule in glob.glob("../build/" + other_header + "/rules/*/*"): if "supplemental" in rule or "srg" in rule: continue - + with open(rule) as r: custom_rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) othercontrols = [] - - if other_header in custom_rule_yaml['references']['custom']: - - for control in custom_rule_yaml['references']['custom'][other_header]: - + + if other_header in custom_rule_yaml["references"]["custom"]: + for control in custom_rule_yaml["references"]["custom"][other_header]: if str(control) in othercontrols: continue else: - othercontrols.append(str(control)) sort_nicely(othercontrols) refs = " " - custom_rule = '''references: + custom_rule = """references: custom: - {}:'''.format(other_header) - + {}:""".format( + other_header + ) + for control in othercontrols: - custom_rule = custom_rule + ''' - - {}'''.format(control) - - custom_rule = custom_rule + ''' + custom_rule = ( + custom_rule + + """ + - {}""".format( + control + ) + ) + + custom_rule = ( + custom_rule + + """ tags: - - {}'''.format(other_header) - - with open(rule, 'w') as rite: - rite.write(custom_rule) - + - {}""".format( + other_header + ) + ) + + with open(rule, "w") as rite: + rite.write(custom_rule) audit = [] auth = [] @@ -215,29 +290,28 @@ def dir_path(string): na = [] perm = [] - for rule in glob.glob('../build/' + other_header + '/rules/*/*.yaml'): + for rule in glob.glob("../build/" + other_header + "/rules/*/*.yaml"): if "supplemental" in rule or "srg" in rule or "baseline" in rule: continue with open(rule) as r: custom_rule = yaml.load(r, Loader=yaml.SafeLoader) rule_id = rule.split(".yaml")[0].split("/")[5] - - - if other_header in custom_rule['tags']: - if "inherent" in rule_yaml['tags']: + + if other_header in custom_rule["tags"]: + if "inherent" in rule_yaml["tags"]: inherent.append(rule_id) continue - if "permanent" in custom_rule['tags']: + if "permanent" in custom_rule["tags"]: perm.append(rule_id) continue - if "n_a" in custom_rule['tags']: + if "n_a" in custom_rule["tags"]: na.append(rule_id) continue - + if "/audit/" in rule: audit.append(rule_id) - + continue if "/auth/" in rule: auth.append(rule_id) @@ -255,117 +329,204 @@ def dir_path(string): sysprefs.append(rule_id) continue - full_baseline = '''title: "macOS 12 (Monterey): Security Configuration - {}" + full_baseline = """title: "macOS 12 (Monterey): Security Configuration - {}" description: | This guide describes the actions to take when securing a macOS 12 system against the {}. authors: | |=== |Name|Organization |=== -profile:'''.format(other_header,other_header) - +profile:""".format( + other_header, other_header + ) + if len(audit) != 0: - - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "Auditing" - rules:''' + rules:""" + ) audit.sort() for rule in audit: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(auth) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "Authentication" - rules:''' + rules:""" + ) auth.sort() - + for rule in auth: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(sysprefs) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "SystemPreferences" - rules:''' + rules:""" + ) sysprefs.sort() - + for rule in sysprefs: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(icloud) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "iCloud" - rules:''' + rules:""" + ) icloud.sort() for rule in icloud: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(os_section) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "macOS" - rules:''' + rules:""" + ) os_section.sort() for rule in os_section: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(pwpolicy) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "PasswordPolicy" - rules:''' + rules:""" + ) pwpolicy.sort() for rule in pwpolicy: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(inherent) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "Inherent" - rules:''' + rules:""" + ) inherent.sort() for rule in inherent: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(perm) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "Permanent" - rules:''' + rules:""" + ) perm.sort() for rule in perm: - full_baseline = full_baseline + ''' - - {}'''.format(rule) + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) if len(na) != 0: - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ - section: "not_applicable" - rules:''' + rules:""" + ) na.sort() for rule in na: - full_baseline = full_baseline + ''' - - {}'''.format(rule) - - full_baseline = full_baseline + ''' + full_baseline = ( + full_baseline + + """ + - {}""".format( + rule + ) + ) + + full_baseline = ( + full_baseline + + """ - section: "Supplemental" rules: - supplemental_firewall_pf - supplemental_password_policy - supplemental_smartcard - ''' - - - + """ + ) if os.path.isdir("../build/" + other_header.lower() + "/baseline/") == False: os.mkdir("../build/" + other_header.lower() + "/baseline") - with open("../build/" + other_header.lower() + "/baseline/" + other_header.lower() + ".yaml",'w') as fw: + with open( + "../build/" + + other_header.lower() + + "/baseline/" + + other_header.lower() + + ".yaml", + "w", + ) as fw: fw.write(full_baseline) - print(other_header.lower() + ".yaml baseline file created in build/" + other_header + "/baseline/") - + print( + other_header.lower() + + ".yaml baseline file created in build/" + + other_header + + "/baseline/" + ) + print("Move all of the folders in rules into the custom folder.") + + if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/scripts/generate_oval.py b/scripts/generate_oval.py index f2268ce..16484fc 100755 --- a/scripts/generate_oval.py +++ b/scripts/generate_oval.py @@ -1,37 +1,42 @@ #!/usr/bin/env python3 import argparse -import sys +import glob import os import os.path -import yaml -import glob import re +import shutil +import sys import warnings -from pathlib import Path from datetime import datetime -import shutil +from pathlib import Path from time import sleep -warnings.filterwarnings("ignore", category=DeprecationWarning) +import yaml + +warnings.filterwarnings("ignore", category=DeprecationWarning) def main(): now = datetime.now() date_time_string = now.strftime("%Y-%m-%dT%H:%M:%S") output = "" - parser = argparse.ArgumentParser(description='Given a profile, create oval checks.') - parser.add_argument("baseline", default=None, help="Baseline YAML file used to create the oval.", type=argparse.FileType('rt')) + parser = argparse.ArgumentParser(description="Given a profile, create oval checks.") + parser.add_argument( + "baseline", + default=None, + help="Baseline YAML file used to create the oval.", + type=argparse.FileType("rt"), + ) results = parser.parse_args() try: - output_basename = os.path.basename(results.baseline.name) output_filename = os.path.splitext(output_basename)[0] baseline_name = os.path.splitext(output_basename)[0] file_dir = os.path.dirname(os.path.abspath(__file__)) parent_dir = os.path.dirname(file_dir) - - build_path = os.path.join(parent_dir, 'build', f'{baseline_name}') + + build_path = os.path.join(parent_dir, "build", f"{baseline_name}") output = build_path + "/" + baseline_name + ".xml" if not (os.path.isdir(build_path)): @@ -39,114 +44,150 @@ def main(): os.makedirs(build_path) except OSError: print(f"Creation of the directory {build_path} failed") - print('Profile YAML:', results.baseline.name) - print('Output path:', output) - - - + print("Profile YAML:", results.baseline.name) + print("Output path:", output) + except IOError as msg: parser.error(str(msg)) profile_yaml = yaml.load(results.baseline, Loader=yaml.SafeLoader) - + x = 1 - ovalPrefix = ''' - + + xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"> 5.11.2 {} Copyright (c) 2020, NIST. macOS Security Compliance Project - '''.format(date_time_string) + """.format( + date_time_string + ) oval_definition = str() oval_test = str() oval_object = str() oval_state = str() oval_variable = str() print() - for sections in profile_yaml['profile']: - for profile_rule in sections['rules']: - for rule_file in glob.glob('../rules/*/{}.yaml'.format(profile_rule)): - + for sections in profile_yaml["profile"]: + for profile_rule in sections["rules"]: + for rule_file in glob.glob("../rules/*/{}.yaml".format(profile_rule)): if "srg" in rule_file or "supplemental" in rule_file: continue with open(rule_file) as r: rule_yaml = yaml.load(r, Loader=yaml.SafeLoader) - if "inherent" in rule_yaml['tags'] or "n_a" in rule_yaml['tags'] or "permanent" in rule_yaml['tags']: + if ( + "inherent" in rule_yaml["tags"] + or "n_a" in rule_yaml["tags"] + or "permanent" in rule_yaml["tags"] + ): continue - if "time_machine" in rule_yaml['id'] and "encrypted" in rule_yaml['id']: - print(rule_yaml['id'] + " - Manual Check Required") + if "time_machine" in rule_yaml["id"] and "encrypted" in rule_yaml["id"]: + print(rule_yaml["id"] + " - Manual Check Required") continue - if "bluetooth" in rule_yaml['id'] and "unpaired" in rule_yaml['id']: - print(rule_yaml['id'] + " - Manual Check Required") + if "bluetooth" in rule_yaml["id"] and "unpaired" in rule_yaml["id"]: + print(rule_yaml["id"] + " - Manual Check Required") continue - if rule_yaml['check'][0] != "/" and "[source,bash]" not in rule_yaml['fix']: - print(rule_yaml['id'] + " - Manual Check") + if ( + rule_yaml["check"][0] != "/" + and "[source,bash]" not in rule_yaml["fix"] + ): + print(rule_yaml["id"] + " - Manual Check") continue - if "hint" in rule_yaml['check'] and "dscl" in rule_yaml['check']: - print(rule_yaml['id'] + " - no relevant oval") + if "hint" in rule_yaml["check"] and "dscl" in rule_yaml["check"]: + print(rule_yaml["id"] + " - no relevant oval") continue - if "manual" in rule_yaml['tags']: - print(rule_yaml['id'] + " - Manual Check") + if "manual" in rule_yaml["tags"]: + print(rule_yaml["id"] + " - Manual Check") continue - if "eficheck" in rule_yaml['check']: - print(rule_yaml['id'] + " - eficheck - no relevant oval") + if "eficheck" in rule_yaml["check"]: + print(rule_yaml["id"] + " - eficheck - no relevant oval") continue - if "newsyslog.conf" in rule_yaml['check'] or "asl.conf" in rule_yaml['check'] or "aslmanager" in rule_yaml['check']: - print(rule_yaml['id'] + " - Manual Check Required") + if ( + "newsyslog.conf" in rule_yaml["check"] + or "asl.conf" in rule_yaml["check"] + or "aslmanager" in rule_yaml["check"] + ): + print(rule_yaml["id"] + " - Manual Check Required") continue - if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml['check']: - print(rule_yaml['id'] + " - pwpolicy getaccountpolicies - no relevant oval") + if "/usr/bin/pwpolicy getaccountpolicies" in rule_yaml["check"]: + print( + rule_yaml["id"] + + " - pwpolicy getaccountpolicies - no relevant oval" + ) continue - if "find" in rule_yaml['check'].split(" ")[0]: - print(rule_yaml['id'] + " - no relevant oval") + if "find" in rule_yaml["check"].split(" ")[0]: + print(rule_yaml["id"] + " - no relevant oval") continue if "os_home_folders_secure" in rule_file: - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'], rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - + .* oval:mscp:ste:{} - '''.format(rule_yaml['id'],x,x,x+999,x+999) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, x, x + 999, x + 999 + ) + ) + + oval_state = ( + oval_state + + """ true true @@ -164,61 +205,91 @@ def main(): 0 0 /usr/bin/false - '''.format(rule_yaml['id'],x,x+999) - - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], x, x + 999 + ) + ) + + oval_variable = ( + oval_variable + + """ - '''.format(x,x+999) + """.format( + x, x + 999 + ) + ) x = x + 1 continue - - if rule_yaml['mobileconfig']: - if "spctl" in rule_yaml['check']: - - if "verbose" in rule_yaml['check']: + + if rule_yaml["mobileconfig"]: + if "spctl" in rule_yaml["check"]: + if "verbose" in rule_yaml["check"]: continue else: - - oval_definition = oval_definition + ''' - - + oval_definition = ( + oval_definition + + """ + + {} - {} - + {} + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(x,rule_yaml['id']) - - oval_state = oval_state + ''' + """.format( + x, rule_yaml["id"] + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) - x += 1 continue - - for payload_type, info in rule_yaml['mobileconfig_info'].items(): + + for payload_type, info in rule_yaml["mobileconfig_info"].items(): if payload_type == "com.apple.systempolicy.control": continue if payload_type == "com.apple.ManagedClient.preferences": for payload_domain, settings in info.items(): - for key, value in settings.items(): state_kind = "" if type(value) == bool: @@ -228,31 +299,48 @@ def main(): elif type(value) == str: state_kind = "string" - oval_definition = oval_definition + ''' - - + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - - - '''.format(rule_yaml['id'],x,x,x) + + + """.format( + rule_yaml["id"], x, x, x + ) + ) if payload_domain == "com.apple.dock": - - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.loginwindow.plist /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() @@ -260,350 +348,596 @@ def main(): //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(x+1999,key,x,x,key) - - oval_variable = oval_variable + ''' + """.format( + x + 1999, key, x, x, key + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Managed Preferences/ /com.apple.dock.plist - '''.format(x,x+1999) + """.format( + x, x + 1999 + ) + ) else: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ /Library/Managed Preferences/{}.plist //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(rule_yaml['id'],x,payload_domain,key) - - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, payload_domain, key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) x += 1 continue for key, value in info.items(): - if key == "familyControlsEnabled": xpath_search = "" if len(info) > 1: - - xpath_search = info['pathBlackList'] - oval_definition = oval_definition + ''' - - - {} + xpath_search = info["pathBlackList"] + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ /Library/Managed Preferences/com.apple.applicationaccess.new.plist boolean(plist/dict/array/string/text() = "{}") - '''.format(rule_yaml['id'],x,str(xpath_search).replace('[',"").replace(']',"").replace("'","")) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], + x, + str(xpath_search) + .replace("[", "") + .replace("]", "") + .replace("'", ""), + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'],x) - + """.format( + rule_yaml["id"], x + ) + ) + x = x + 1 continue else: - - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type) - + /Library/Managed Preferences/{}.plist""".format( + rule_yaml["id"], x, payload_type + ) + ) + state_kind = "" if type(value) == bool: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) -'''.format(key) +""".format( + key + ) + ) state_kind = "boolean" elif type(value) == int: state_kind = "int" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) +""".format( + key + ) + ) elif type(value) == str: state_kind = "string" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) - - oval_state = oval_state + ''' +""".format( + key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) x = x + 1 continue if payload_type == "com.apple.finder": - oval_definition = oval_definition + ''' - - + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.loginwindow.plist /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - '''.format(x+1999,rule_yaml['id'],x,x) - + """.format( + x + 1999, rule_yaml["id"], x, x + ) + ) + state_kind = "" if type(value) == bool: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) -'''.format(key) +""".format( + key + ) + ) state_kind = "boolean" elif type(value) == int: state_kind = "int" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) +""".format( + key + ) + ) elif type(value) == str: state_kind = "string" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) - - oval_state = oval_state + ''' +""".format( + key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) - - - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Managed Preferences/ /com.apple.finder.plist - '''.format(x,x+1999) + """.format( + x, x + 1999 + ) + ) x += 1 continue - + if payload_type == "com.apple.DiscRecording": - oval_definition = oval_definition + ''' - - + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.loginwindow.plist /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - '''.format(x+1999,rule_yaml['id'],x,x) - + """.format( + x + 1999, rule_yaml["id"], x, x + ) + ) + state_kind = "" if type(value) == bool: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) -'''.format(key) +""".format( + key + ) + ) state_kind = "boolean" elif type(value) == int: state_kind = "int" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) +""".format( + key + ) + ) elif type(value) == str: state_kind = "string" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) - - oval_state = oval_state + ''' +""".format( + key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) - - - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Managed Preferences/ /com.apple.DiscRecording.plist - '''.format(x,x+1999) + """.format( + x, x + 1999 + ) + ) x += 1 - continue - if payload_type == "com.apple.Safari" and key == "AutoOpenSafeDownloads": - oval_definition = oval_definition + ''' - - + continue + if ( + payload_type == "com.apple.Safari" + and key == "AutoOpenSafeDownloads" + ): + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.loginwindow.plist /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() - '''.format(x+1999,rule_yaml['id'],x,x) - + """.format( + x + 1999, rule_yaml["id"], x, x + ) + ) + state_kind = "" if type(value) == bool: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) -'''.format(key) +""".format( + key + ) + ) state_kind = "boolean" elif type(value) == int: state_kind = "int" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) +""".format( + key + ) + ) elif type(value) == str: state_kind = "string" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() -'''.format(key) - - oval_state = oval_state + ''' +""".format( + key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) - - - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Managed Preferences/ /com.apple.Safari.plist - '''.format(x,x+1999) + """.format( + x, x + 1999 + ) + ) x += 1 - continue - if payload_type == "com.apple.systempreferences" and key == "DisabledPreferencePanes" or payload_type == "com.apple.systempreferences" and key == "HiddenPreferencePanes": - - oval_definition = oval_definition + ''' - - + continue + if ( + payload_type == "com.apple.systempreferences" + and key == "DisabledPreferencePanes" + or payload_type == "com.apple.systempreferences" + and key == "HiddenPreferencePanes" + ): + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.loginwindow.plist /plist/dict/key[string()="lastUserName"]/following-sibling::*[1]/text() @@ -611,30 +945,48 @@ def main(): /plist/dict/key[string()="{}"]/following-sibling::*[1]/string[string()="{}"]/text() - - '''.format(x+1999,rule_yaml['id'],x,x,key,str(value).strip('[]').strip("'")) - - - oval_state = oval_state + ''' - + + """.format( + x + 1999, + rule_yaml["id"], + x, + x, + key, + str(value).strip("[]").strip("'"), + ) + ) + + oval_state = ( + oval_state + + """ + {} - - '''.format(rule_yaml['id'],x,str(value).strip('[]').strip("'")) - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], + x, + str(value).strip("[]").strip("'"), + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Managed Preferences/ /com.apple.systempreferences.plist - '''.format(x,x+1999) + """.format( + x, x + 1999 + ) + ) x += 1 continue - state_kind = "" if type(value) == bool: state_kind = "boolean" @@ -643,85 +995,136 @@ def main(): elif type(value) == str: state_kind = "string" else: - continue - - oval_definition = oval_definition + ''' - - + + oval_definition = ( + oval_definition + + """ + + {} - {} - - + {} + + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - /Library/Managed Preferences/{}.plist'''.format(rule_yaml['id'],x,payload_type) - + /Library/Managed Preferences/{}.plist""".format( + rule_yaml["id"], x, payload_type + ) + ) + if state_kind == "boolean": - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) + """.format( + key + ) + ) else: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' + """.format( + key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_kind,value) + """.format( + rule_yaml["id"], x, state_kind, value + ) + ) x += 1 continue else: - command = rule_yaml['check'].split("/") - if "sntp" in rule_yaml['check']: + command = rule_yaml["check"].split("/") + if "sntp" in rule_yaml["check"]: x += 1 - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") continue - if "SPStorageDataType" in rule_yaml['check']: + if "SPStorageDataType" in rule_yaml["check"]: x += 1 - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") continue if "fdesetup" in command[3]: x += 1 - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") continue if "profiles" in command[3]: - if "/usr/bin/profiles status -type enrollment" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - + if ( + "/usr/bin/profiles status -type enrollment" + in rule_yaml["check"] + ): + oval_definition = ( + oval_definition + + """ + + {} - {} - + {} + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],x,x+899,x+799) - - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + x, + x + 899, + x + 799, + ) + ) + + oval_test = ( + oval_test + + """ @@ -730,9 +1133,14 @@ def main(): - '''.format(x,x,x+899,x+899,x+799,x+799) - - oval_object = oval_object + ''' + """.format( + x, x, x + 899, x + 899, x + 799, x + 799 + ) + ) + + oval_object = ( + oval_object + + """ /Library/Managed Preferences/com.apple.extensiblesso.plist @@ -741,111 +1149,173 @@ def main(): /Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist - '''.format(x,x+899,x+799) + """.format( + x, x + 899, x + 799 + ) + ) x += 1 continue if "csrutil" in command[3]: if "authenticated-root" in command[3]: - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") continue - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ SPSoftwareDataType //*[contains(text(), "system_integrity")]/following-sibling::string[position()=1]/text() - '''.format(rule_yaml['id'],x) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x + ) + ) + + oval_state = ( + oval_state + + """ SPSoftwareDataType //*[contains(text(), "system_integrity")]/following-sibling::string[position()=1]/text() integrity_enabled - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) x += 1 continue - if "pfctl" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") + if "pfctl" in rule_yaml["check"]: + print(rule_yaml["id"] + " - No relevant oval test") x += 1 continue - if "dump-keychain" in rule_yaml['check']: - print(rule_yaml['id'] + " - No relevant oval test") + if "dump-keychain" in rule_yaml["check"]: + print(rule_yaml["id"] + " - No relevant oval test") x += 1 continue if "mdmclient" in command[3]: - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") x += 1 continue if "nvram" in command[3]: - print(rule_yaml['id'] + " - No relevant oval test") + print(rule_yaml["id"] + " - No relevant oval test") x += 1 continue - - if "pmset" in command[3] and "standby" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} + if "pmset" in command[3] and "standby" in rule_yaml["check"]: + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'] +"_standbydelayhigh",x, rule_yaml['id'] +"_standbydelaylow",x+877, rule_yaml['id'] +"_highstandbythreshold",x+888) - - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"] + "_standbydelayhigh", + x, + rule_yaml["id"] + "_standbydelaylow", + x + 877, + rule_yaml["id"] + "_highstandbythreshold", + x + 888, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x,x) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"] + "_standbydelayhigh", x, x, x + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877,x+877,x+877) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"] + "_standbydelaylow", + x + 877, + x + 877, + x + 877, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888,x+888,x+888) + """.format( + rule_yaml["id"] + "_highstandbythreshold", + x + 888, + x + 888, + x + 888, + ) + ) - standbydelayhigh = str() standbydelaylow = str() highstandbythreshold = str() - for line in rule_yaml['fix'].split("----")[1].split("\n"): + for line in rule_yaml["fix"].split("----")[1].split("\n"): if line == "": continue if "standbydelayhigh" in line: @@ -854,489 +1324,869 @@ def main(): standbydelaylow = line.split(" ")[-1].rstrip() if "highstandbythreshold" in line: highstandbythreshold = line.split(" ")[-1].rstrip() - - oval_object = oval_object + ''' + + oval_object = ( + oval_object + + """ SPHardwareDataType //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() - '''.format("hardware UUID",x+999) - - oval_variable = oval_variable + ''' + """.format( + "hardware UUID", x + 999 + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Preferences/com.apple.PowerManagement. .plist - '''.format(x,x+999) - - oval_object = oval_object + ''' + """.format( + x, x + 999 + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id'] + "_standbydelayhigh",x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"] + "_standbydelayhigh", x, x + ) + ) + + oval_object = ( + oval_object + + """ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("High Standby Delay",standbydelayhigh) - - - oval_object = oval_object + ''' + """.format( + "High Standby Delay", standbydelayhigh + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877, x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"] + "_standbydelaylow", x + 877, x + ) + ) + + oval_object = ( + oval_object + + """ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("Standby Delay",standbydelaylow) - - oval_object = oval_object + ''' + """.format( + "Standby Delay", standbydelaylow + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888, x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"] + "_highstandbythreshold", x + 888, x + ) + ) + + oval_object = ( + oval_object + + """ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format("Standby Battery Threshold",highstandbythreshold) - - oval_state = oval_state + ''' + """.format( + "Standby Battery Threshold", highstandbythreshold + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'] + "_standbydelayhigh",x) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"] + "_standbydelayhigh", x + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'] + "_standbydelaylow",x+877) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"] + "_standbydelaylow", x + 877 + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'] + "_highstandbythreshold",x+888) + """.format( + rule_yaml["id"] + "_highstandbythreshold", x + 888 + ) + ) x += 1 continue - - if "pmset" in command[3]: - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - /Library/Preferences/com.apple.PowerManagement.plist'''.format(rule_yaml['id'],x) + /Library/Preferences/com.apple.PowerManagement.plist""".format( + rule_yaml["id"], x + ) + ) pmset_key = str() - if "powernap" in rule_yaml['check']: + if "powernap" in rule_yaml["check"]: pmset_key = "DarkWakeBackgroundTasks" - if "womp" in rule_yaml['check']: + if "womp" in rule_yaml["check"]: pmset_key = "Wake On LAN" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ boolean(plist/dict[key="AC Power"]/dict[key="{}"]/integer/text() = "{}") - '''.format(pmset_key,rule_yaml['fix'].split("----")[1].replace("\n","")[-1]) - - oval_state = oval_state + ''' + """.format( + pmset_key, + rule_yaml["fix"].split("----")[1].replace("\n", "")[-1], + ) + ) + + oval_state = ( + oval_state + + """ true - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) x += 1 continue - if "socketfilterfw" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} + if "socketfilterfw" in rule_yaml["check"]: + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) + """.format( + rule_yaml["id"], x, x, x + ) + ) - if rule_yaml['check'].split()[1] == "--getloggingmode": + if rule_yaml["check"].split()[1] == "--getloggingmode": firewall_variable = "loggingenabled" - elif rule_yaml['check'].split()[1] == "--getstealthmode": + elif rule_yaml["check"].split()[1] == "--getstealthmode": firewall_variable = "stealthenabled" - elif rule_yaml['check'].split()[1] == "--getglobalstate": + elif rule_yaml["check"].split()[1] == "--getglobalstate": firewall_variable = "globalstate" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ /Library/Preferences/com.apple.alf.plist //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(rule_yaml['id'],x,firewall_variable) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, firewall_variable + ) + ) + + oval_state = ( + oval_state + + """ 1 - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) x += 1 continue if "systemsetup" in command[3]: - oval_definition = oval_definition + ''' + oval_definition = ( + oval_definition + + """ - - - {} + + + {} - {} - + {} + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) state_test = "" - if "-getnetworktimeserver" in rule_yaml['check']: - - timeservers = rule_yaml['result']['string'] - - state_test = ''' + if "-getnetworktimeserver" in rule_yaml["check"]: + timeservers = rule_yaml["result"]["string"] + + state_test = """ {} - '''.format(timeservers) - oval_state = oval_state + ''' + """.format( + timeservers + ) + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,state_test) - - - + """.format( + rule_yaml["id"], x, state_test + ) + ) abc = 0 - if "defaults" in rule_yaml['check'] and "grep" in rule_yaml['check'] and "CURRENT_USER" in rule_yaml['check']: - + if ( + "defaults" in rule_yaml["check"] + and "grep" in rule_yaml["check"] + and "CURRENT_USER" in rule_yaml["check"] + ): regex = r"(?<=\()(.*?)(?=\))" - test_str = rule_yaml['check'].split("grep")[1] + test_str = rule_yaml["check"].split("grep")[1] matches = re.finditer(regex, test_str, re.MULTILINE) matchy_match = "" for matchNum, match in enumerate(matches, start=1): matchy_match = match.group() - - - oval_definition = oval_definition + ''' - - - {} + + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + for multi_grep in matchy_match.split("|"): - - oval_definition = oval_definition + ''' + oval_definition = ( + oval_definition + + """ - '''.format(rule_yaml['id']+"_"+str(abc),x) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"] + "_" + str(abc), x + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id']+"_"+str(abc),x,x,x) - - key = matchy_match.split("|")[abc].split(" = ")[0].replace("\"","") - value = matchy_match.split("|")[abc].split(" = ")[1].replace(";","") - if "$CURRENT_USER" in rule_yaml['check']: - - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"] + "_" + str(abc), x, x, x + ) + ) + + key = ( + matchy_match.split("|")[abc] + .split(" = ")[0] + .replace('"', "") + ) + value = ( + matchy_match.split("|")[abc] + .split(" = ")[1] + .replace(";", "") + ) + if "$CURRENT_USER" in rule_yaml["check"]: + oval_object = ( + oval_object + + """ .* oval:mscp:ste:{} - '''.format(x+1999,x+1999) - - oval_state = oval_state + ''' + """.format( + x + 1999, x + 1999 + ) + ) + + oval_state = ( + oval_state + + """ ^[^_\s].* 0 0 /usr/bin/false - '''.format(x+1999) - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - - - - oval_variable = oval_variable + ''' + """.format( + x + 1999 + ) + ) + plist = ( + rule_yaml["check"] + .split("read")[1] + .split()[0] + .replace(".plist", "") + ) + + oval_variable = ( + oval_variable + + """ - /Library/Preferences/{}. + /Library/Preferences/{}. plist - '''.format(x,x+1999,plist) - - - oval_object = oval_object + ''' + """.format( + x, x + 1999, plist + ) + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id']+"_"+str(abc),x,x) + """.format( + rule_yaml["id"] + "_" + str(abc), x, x + ) + ) oval_datatype = "" try: int(value) - - oval_datatype = "int" - oval_object = oval_object + ''' + + oval_datatype = "int" + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) + """.format( + key + ) + ) except: if value.lower() == "true" or value.lower == "false": oval_datatype = "boolean" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) + """.format( + key + ) + ) else: oval_datatype = "string" - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' + """.format( + key + ) + ) + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id']+"_"+str(abc),x,oval_datatype,value) - - abc =+ 1 - x = x+1 - oval_definition = oval_definition + ''' - ''' - oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - - x = x+1 + """.format( + rule_yaml["id"] + "_" + str(abc), + x, + oval_datatype, + value, + ) + ) + + abc = +1 + x = x + 1 + oval_definition = ( + oval_definition + + """ + """ + ) + oval_definition = re.sub( + "(?=\n\[NOTE\])(?s)(.*)\=\n<", "<", oval_definition + ) + + x = x + 1 break - - if "defaults" in rule_yaml['check']: - - if rule_yaml['id'] == "sysprefs_hot_corners_secure": - oval_definition = oval_definition + ''' - - - {} + if "defaults" in rule_yaml["check"]: + if rule_yaml["id"] == "sysprefs_hot_corners_secure": + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x,rule_yaml['id'],x+5000,rule_yaml['id'],x+5001,rule_yaml['id'],x+5002) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + rule_yaml["id"], + x + 5000, + rule_yaml["id"], + x + 5001, + rule_yaml["id"], + x + 5002, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x+5000,x+5000,x+5000) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"], x + 5000, x + 5000, x + 5000 + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x+5001,x+5001,x+5001) - - oval_test = oval_test + ''' + """.format( + rule_yaml["id"], x + 5001, x + 5001, x + 5001 + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x+5002,x+5002,x+5002) - - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split("\n")[0].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x + 5002, x + 5002, x + 5002 + ) + ) + + plist = ( + rule_yaml["check"] + .split("read")[1] + .split()[0] + .replace(".plist", "") + ) + check_length = len(rule_yaml["check"].split()) + key = ( + rule_yaml["check"] + .split("\n")[0] + .replace(" 2>/dev/null", "") + .split()[-1] + .replace('"', "") + .replace(")", "") + ) + + oval_object = ( + oval_object + + """ .* oval:mscp:ste:{} - + - - '''.format(x+1999,x+1999,rule_yaml['id'],x,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[1].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' + + """.format( + x + 1999, x + 1999, rule_yaml["id"], x, x + ) + ) + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + + key = ( + rule_yaml["check"] + .split("\n")[1] + .replace(" 2>/dev/null", "") + .split()[-1] + .replace('"', "") + .replace(")", "") + ) + + oval_object = ( + oval_object + + """ - - '''.format(rule_yaml['id'],x+5000,x) - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[2].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' + + """.format( + rule_yaml["id"], x + 5000, x + ) + ) + + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + + key = ( + rule_yaml["check"] + .split("\n")[2] + .replace(" 2>/dev/null", "") + .split()[-1] + .replace('"', "") + .replace(")", "") + ) + + oval_object = ( + oval_object + + """ - - '''.format(rule_yaml['id'],x+5001,x) - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - key = rule_yaml['check'].split("\n")[3].replace(" 2>/dev/null","").split()[-1].replace('"','').replace(")",'') - - oval_object = oval_object + ''' + + """.format( + rule_yaml["id"], x + 5001, x + ) + ) + + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + + key = ( + rule_yaml["check"] + .split("\n")[3] + .replace(" 2>/dev/null", "") + .split()[-1] + .replace('"', "") + .replace(")", "") + ) + + oval_object = ( + oval_object + + """ - - '''.format(rule_yaml['id'],x+5002,x) - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_state = oval_state + ''' + + """.format( + rule_yaml["id"], x + 5002, x + ) + ) + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + + oval_state = ( + oval_state + + """ ^[^_\s].* 0 0 /usr/bin/false - '''.format(x+1999) - - + """.format( + x + 1999 + ) + ) + after_user = plist.split('"')[2] - oval_variable = oval_variable + ''' + oval_variable = ( + oval_variable + + """ {} .plist - '''.format(x,x+1999,after_user,x+999) + """.format( + x, x + 1999, after_user, x + 999 + ) + ) try: - check_if = rule_yaml['check'].split("\n")[5] - + check_if = rule_yaml["check"].split("\n")[5] + modifier = 0 for n in check_if.split(): - - if n.replace('"',"").isdigit(): + if n.replace('"', "").isdigit(): if modifier >= 4999: modifier = modifier + 1 - oval_state = oval_state + ''' + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x+modifier,n.replace('"',"")) + """.format( + rule_yaml["id"], + x + modifier, + n.replace('"', ""), + ) + ) if modifier == 0: modifier = 4999 x = x + 1 continue - except: - x = x + 1 + except: + x = x + 1 continue - - - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - plist = rule_yaml['check'].split("read")[1].split()[0].replace(".plist","") - - if "ByHost" in rule_yaml['fix'] or "currentHost" in rule_yaml['fix']: - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + plist = ( + rule_yaml["check"] + .split("read")[1] + .split()[0] + .replace(".plist", "") + ) + + if ( + "ByHost" in rule_yaml["fix"] + or "currentHost" in rule_yaml["fix"] + ): + oval_object = ( + oval_object + + """ SPHardwareDataType //*[contains(text(), "platform_UUID")]/following-sibling::string[position()=1]/text() - '''.format("hardware UUID",x+999) - - if "$CURRENT_USER" in rule_yaml['check']: - - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].split()[check_length-1] - - oval_object = oval_object + ''' + """.format( + "hardware UUID", x + 999 + ) + ) + + if "$CURRENT_USER" in rule_yaml["check"]: + check_length = len(rule_yaml["check"].split()) + key = rule_yaml["check"].split()[check_length - 1] + + oval_object = ( + oval_object + + """ .* oval:mscp:ste:{} - + - - '''.format(x+1999,x+1999,rule_yaml['id'],x,x) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' + + """.format( + x + 1999, x + 1999, rule_yaml["id"], x, x + ) + ) + + try: + rule_yaml["result"]["boolean"] + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) + """.format( + key + ) + ) except: - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + oval_state = ( + oval_state + + """ ^[^_\s].* 0 0 /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' + """.format( + x + 1999 + ) + ) + + oval_variable = ( + oval_variable + + """ @@ -1344,337 +2194,559 @@ def main(): .plist - '''.format(x,x+1999,plist,x+999) - - + """.format( + x, x + 1999, plist, x + 999 + ) + ) else: - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].replace(" 2>/dev/null","").split()[check_length-1] - - oval_object = oval_object + ''' + check_length = len(rule_yaml["check"].split()) + key = ( + rule_yaml["check"] + .replace(" 2>/dev/null", "") + .split()[check_length - 1] + ) + + oval_object = ( + oval_object + + """ - '''.format(rule_yaml['id'],x,x) + """.format( + rule_yaml["id"], x, x + ) + ) try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' + rule_yaml["result"]["boolean"] + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(key) + """.format( + key + ) + ) except: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - - oval_variable = oval_variable + ''' + """.format( + key + ) + ) + + oval_variable = ( + oval_variable + + """ {}. .plist - '''.format(x,plist,x+999) - - elif "$CURRENT_USER" in rule_yaml['check']: - - - check_length = len(rule_yaml['check'].split()) - key = rule_yaml['check'].replace(" 2>/dev/null","").split()[-1] - - oval_object = oval_object + ''' + """.format( + x, plist, x + 999 + ) + ) + + elif "$CURRENT_USER" in rule_yaml["check"]: + check_length = len(rule_yaml["check"].split()) + key = ( + rule_yaml["check"] + .replace(" 2>/dev/null", "") + .split()[-1] + ) + + oval_object = ( + oval_object + + """ .* oval:mscp:ste:{} - + - - '''.format(x+1999,x+1999,rule_yaml['id'],x,x) - - try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' + + """.format( + x + 1999, x + 1999, rule_yaml["id"], x, x + ) + ) + + try: + rule_yaml["result"]["boolean"] + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) -'''.format(key) +""".format( + key + ) + ) except: - - oval_object = oval_object + '''//*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(key) - oval_state = oval_state + ''' + oval_object = ( + oval_object + + """//*[contains(text(), "{}")]/following-sibling::*[1]/text() + """.format( + key + ) + ) + oval_state = ( + oval_state + + """ ^[^_\s].* 0 0 /usr/bin/false - '''.format(x+1999) - - oval_variable = oval_variable + ''' + """.format( + x + 1999 + ) + ) + + oval_variable = ( + oval_variable + + """ /Library/Preferences/{}. plist - '''.format(x,x+1999,plist,x+999) + """.format( + x, x + 1999, plist, x + 999 + ) + ) else: - if plist[-6:] != ".plist": plist = plist + ".plist" - - plist_key = rule_yaml['check'].replace(" 2>/dev/null","").split(" ")[3].rstrip() - oval_object = oval_object + ''' + + plist_key = ( + rule_yaml["check"] + .replace(" 2>/dev/null", "") + .split(" ")[3] + .rstrip() + ) + oval_object = ( + oval_object + + """ - {}'''.format(rule_yaml['id'],x,plist) - + {}""".format( + rule_yaml["id"], x, plist + ) + ) + try: - rule_yaml['result']['boolean'] - oval_object = oval_object + ''' + rule_yaml["result"]["boolean"] + oval_object = ( + oval_object + + """ name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(plist_key) + """.format( + plist_key + ) + ) except: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ //*[contains(text(), "{}")]/following-sibling::*[1]/text() - '''.format(plist_key) - - + """.format( + plist_key + ) + ) + datatype = "" - plist_key = rule_yaml['check'].split(" ")[3].rstrip() - for key in rule_yaml['result']: + plist_key = rule_yaml["check"].split(" ")[3].rstrip() + for key in rule_yaml["result"]: datatype = key if datatype == "integer": oval_datatype = "int" - + else: oval_datatype = datatype - if oval_datatype == "boolean" and rule_yaml['result'][datatype] == 0: + if ( + oval_datatype == "boolean" + and rule_yaml["result"][datatype] == 0 + ): value = "false" - elif oval_datatype == "boolean" and rule_yaml['result'][datatype] == 1: + elif ( + oval_datatype == "boolean" + and rule_yaml["result"][datatype] == 1 + ): value = "true" else: - value = rule_yaml['result'][datatype] - - oval_state = oval_state + ''' + value = rule_yaml["result"][datatype] + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,oval_datatype,value) - oval_definition = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n<', '<', oval_definition) - x = x+1 - + """.format( + rule_yaml["id"], x, oval_datatype, value + ) + ) + oval_definition = re.sub( + "(?=\n\[NOTE\])(?s)(.*)\=\n<", "<", oval_definition + ) + x = x + 1 + continue if "security" in command[3]: - if rule_yaml['check'].split()[1] == "authorizationdb": - check = rule_yaml['check'].split("|") - - authdb = rule_yaml['check'].split()[3] - if len(check) > 2: + if rule_yaml["check"].split()[1] == "authorizationdb": + check = rule_yaml["check"].split("|") - matches = re.findall(r'(?<=\>)(.*)(?=\<)',check[1]) - key = str(matches).replace("[","").replace("]","").replace("'","") + authdb = rule_yaml["check"].split()[3] + if len(check) > 2: + matches = re.findall(r"(?<=\>)(.*)(?=\<)", check[1]) + key = ( + str(matches) + .replace("[", "") + .replace("]", "") + .replace("'", "") + ) length = len(check[2].split()) - - last_string = check[2].split()[length-1].replace('"',"").replace("<","").replace(">","").replace("/","") - - - oval_definition = oval_definition + ''' - - - {} + + last_string = ( + check[2] + .split()[length - 1] + .replace('"', "") + .replace("<", "") + .replace(">", "") + .replace("/", "") + ) + + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ {} boolean(//key[text()="{}"]/following-sibling::{}) - '''.format(rule_yaml['id'],x,authdb,key,last_string) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, authdb, key, last_string + ) + ) + + oval_state = ( + oval_state + + """ - + true - '''.format(rule_yaml['id'],x) + """.format( + rule_yaml["id"], x + ) + ) else: - key = (check[1].split()[2].replace("'","")) + key = check[1].split()[2].replace("'", "") - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ {} //*[contains(text(), "{}")]/text() - '''.format(rule_yaml['id'],x,authdb,key) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, authdb, key + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,key) + """.format( + rule_yaml["id"], x, key + ) + ) x += 1 continue - if "/bin/rm" in rule_yaml['fix'] and "/bin/ls" in rule_yaml['check']: - oval_definition = oval_definition + ''' - - - {} + if ( + "/bin/rm" in rule_yaml["fix"] + and "/bin/ls" in rule_yaml["check"] + ): + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - oval_test = oval_test + ''' + + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + oval_test = ( + oval_test + + """ - '''.format(x,rule_yaml['id'],x) + """.format( + x, rule_yaml["id"], x + ) + ) - path = rule_yaml['fix'].split("----")[1].split(" ")[-1] - - oval_object = oval_object + ''' + path = rule_yaml["fix"].split("----")[1].split(" ")[-1] + + oval_object = ( + oval_object + + """ {} - - '''.format(x,rule_yaml['id'],path.rstrip()) + + """.format( + x, rule_yaml["id"], path.rstrip() + ) + ) x += 1 continue - if "ls" in command[2] or "stat" in command[3].split()[0]: - if '/Library/Security/PolicyBanner.rtf' in rule_yaml['check']: - - - oval_definition = oval_definition + ''' - - - {} + if "/Library/Security/PolicyBanner.rtf" in rule_yaml["check"]: + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x,rule_yaml['id'],x+2999) - - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + rule_yaml["id"], + x + 2999, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(x,rule_yaml['id'],x,x+2999,rule_yaml['id'],x+2999) - - oval_object = oval_object + ''' + """.format( + x, + rule_yaml["id"], + x, + x + 2999, + rule_yaml["id"], + x + 2999, + ) + ) + + oval_object = ( + oval_object + + """ /Library/Security/PolicyBanner.rtf - + /Library/Security/PolicyBanner.rtfd - - '''.format(x,rule_yaml['id'],x+2999,rule_yaml['id']) + + """.format( + x, rule_yaml["id"], x + 2999, rule_yaml["id"] + ) + ) x = x + 1 continue - - s = rule_yaml['check'] + + s = rule_yaml["check"] config_file = str() oval_variable_need = bool() if "grep" in s.split()[2]: - - oval_variable_need = True - grep_search = re.search('\((.*?)\)', s).group(1) - + grep_search = re.search("\((.*?)\)", s).group(1) + substring = grep_search.split("|")[0] - regex = re.search('\'(.*?)\'', substring).group(1) - + regex = re.search("'(.*?)'", substring).group(1) + try: - regex = re.search('/(.*?)/', regex).group(1) + regex = re.search("/(.*?)/", regex).group(1) except: regex = regex - config_file = substring = grep_search.split("|")[0].split()[-1] + config_file = substring = grep_search.split("|")[0].split()[ + -1 + ] - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ {} {}:\s*(.*)$ 1 - '''.format(rule_yaml['id'], x+999, config_file, regex) - - oval_variable = oval_variable + ''' + """.format( + rule_yaml["id"], x + 999, config_file, regex + ) + ) + + oval_variable = ( + oval_variable + + """ - '''.format(x,rule_yaml['id'],x+999) - + """.format( + x, rule_yaml["id"], x + 999 + ) + ) + else: oval_variable_need = False config_file = s.split()[2] - s = rule_yaml['fix'] + s = rule_yaml["fix"] + + fix_command = re.search("-\n(.*?)\n-", s).group(1).split("$")[0] - fix_command = re.search('-\n(.*?)\n-', s).group(1).split('$')[0] - - oval_definition = oval_definition + ''' - - - - {} + oval_definition = ( + oval_definition + + """ + + + + {} - {} - - + {} + + - - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(x,rule_yaml['id'],x,x) - - if "-" in fix_command and "R" in fix_command or rule_yaml['fix'].split("\n")[2][-1] == "*": + """.format( + x, rule_yaml["id"], x, x + ) + ) + + if ( + "-" in fix_command + and "R" in fix_command + or rule_yaml["fix"].split("\n")[2][-1] == "*" + ): behavior = '' if "audit" in rule_file: filename = 'current' @@ -1683,486 +2755,763 @@ def main(): filename = '' if oval_variable_need == True: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ {} {} - '''.format(rule_yaml['id'],x,behavior,x,filename) + """.format( + rule_yaml["id"], x, behavior, x, filename + ) + ) else: - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ {} {} - - '''.format(rule_yaml['id'],x,behavior,config_file) + + """.format( + rule_yaml["id"], x, behavior, config_file + ) + ) state_test = "" - if "-" in fix_command and "N" in fix_command and "chmod" in fix_command: - state_test = ''' + if ( + "-" in fix_command + and "N" in fix_command + and "chmod" in fix_command + ): + state_test = """ false - ''' - + """ + elif "chgrp" in fix_command: - state_test = ''' + state_test = """ {} - '''.format(rule_yaml['result']['integer']) + """.format( + rule_yaml["result"]["integer"] + ) elif "chown" in fix_command: - - state_test = ''' + state_test = """ {} - '''.format(rule_yaml['result']['integer']) - + """.format( + rule_yaml["result"]["integer"] + ) elif "chmod" in fix_command: - perms = fix_command.split()[1] - + if perms[0] == "0": - state_test = ''' + state_test = """ false false - false''' + false""" if perms[0] == "1": - state_test = ''' + state_test = """ false false - true''' + true""" elif perms[0] == "2": - state_test = ''' + state_test = """ false true - false''' + false""" elif perms[0] == "3": - state_test = ''' + state_test = """ false true - true''' + true""" elif perms[0] == "4": - - state_test = ''' + state_test = """ true false - false''' + false""" elif perms[0] == "5": - state_test = ''' + state_test = """ true false - true''' + true""" elif perms[0] == "6": - state_test = ''' + state_test = """ true true - false''' + false""" elif perms[0] == "7": - state_test = ''' + state_test = """ true true - true''' - + true""" + if perms[1] == "0": - state_test = state_test + ''' + state_test = ( + state_test + + """ false false - false''' + false""" + ) elif perms[1] == "1": - state_test = state_test + ''' + state_test = ( + state_test + + """ false false - true''' + true""" + ) elif perms[1] == "2": - state_test = state_test + ''' + state_test = ( + state_test + + """ false true - false''' + false""" + ) elif perms[1] == "3": - state_test = state_test + ''' + state_test = ( + state_test + + """ false true - true''' + true""" + ) elif perms[1] == "4": - - state_test = state_test + ''' + state_test = ( + state_test + + """ true false - false''' + false""" + ) elif perms[1] == "5": - state_test = state_test + ''' + state_test = ( + state_test + + """ true false - true''' + true""" + ) elif perms[1] == "6": - state_test = state_test + ''' + state_test = ( + state_test + + """ true true - false''' + false""" + ) elif perms[1] == "7": - state_test = state_test + ''' + state_test = ( + state_test + + """ true true - true''' + true""" + ) if perms[2] == "0": - - state_test = state_test + ''' + state_test = ( + state_test + + """ false false - false''' + false""" + ) if perms[2] == "1": - state_test = state_test + ''' + state_test = ( + state_test + + """ false false - true''' + true""" + ) elif perms[2] == "1": - state_test = state_test + ''' + state_test = ( + state_test + + """ false false - true''' + true""" + ) elif perms[2] == "2": - state_test = state_test + ''' + state_test = ( + state_test + + """ false true - false''' + false""" + ) elif perms[2] == "3": - state_test = state_test + ''' + state_test = ( + state_test + + """ false true - true''' + true""" + ) elif perms[2] == "4": - state_test = state_test + ''' + state_test = ( + state_test + + """ true false - false''' + false""" + ) elif perms[2] == "5": - state_test = state_test + ''' + state_test = ( + state_test + + """ true false - true''' + true""" + ) elif perms[2] == "6": - state_test = state_test + ''' + state_test = ( + state_test + + """ true true - false''' + false""" + ) elif perms[2] == "7": - state_test = state_test + ''' + state_test = ( + state_test + + """ true true - true''' - - oval_state = oval_state + ''' - '''.format(rule_yaml['id'],x) + state_test + ''' + true""" + ) + + oval_state = ( + oval_state + + """ + """.format( + rule_yaml["id"], x + ) + + state_test + + """ - ''' - + """ + ) + x += 1 continue - + if "dscl" in command[3]: - if "UserShell" in rule_yaml['check']: - shell = rule_yaml['check'].split()[9].replace('"','') - oval_definition = oval_definition + ''' - - - {} + if "UserShell" in rule_yaml["check"]: + shell = rule_yaml["check"].split()[9].replace('"', "") + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'],rule_yaml['id'],x) - - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"], + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(rule_yaml['id'],x,x,x) - - oval_object = oval_object + ''' + """.format( + rule_yaml["id"], x, x, x + ) + ) + + oval_object = ( + oval_object + + """ {} - '''.format(rule_yaml['id'],x,command[5].split()[0]) - - oval_state = oval_state + ''' + """.format( + rule_yaml["id"], x, command[5].split()[0] + ) + ) + + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,shell) - x += 1 - continue + """.format( + rule_yaml["id"], x, shell + ) + ) + x += 1 + continue if "awk" in command[3]: awk_file = "" awk_search = "" field_sep = "" - - if "grep -qE" in rule_yaml['fix']: - awk_file = rule_yaml['fix'].split(" ")[3].strip(" ") - awk_search = rule_yaml['fix'].split(" ")[2].strip("\"") - - elif "grep" in rule_yaml['check']: - - awk_file = rule_yaml['check'].split("|")[0].split(" ")[-2] - awk_search = rule_yaml['check'].split("|")[-1].split(" ")[-2].strip("\'") - + + if "grep -qE" in rule_yaml["fix"]: + awk_file = rule_yaml["fix"].split(" ")[3].strip(" ") + awk_search = rule_yaml["fix"].split(" ")[2].strip('"') + + elif "grep" in rule_yaml["check"]: + awk_file = rule_yaml["check"].split("|")[0].split(" ")[-2] + awk_search = ( + rule_yaml["check"] + .split("|")[-1] + .split(" ")[-2] + .strip("'") + ) + else: - awk_file = rule_yaml['check'].split("'")[2].strip(" ") - awk_search = rule_yaml['check'].split("'")[1].split("/")[1] - field_sep = rule_yaml['check'].split("-F")[1].split(" ")[0].replace('\"',"") - - try: - - awk_result = rule_yaml['result']['string'] - - except: - - awk_result = str(rule_yaml['result']['integer']) - + awk_file = rule_yaml["check"].split("'")[2].strip(" ") + awk_search = rule_yaml["check"].split("'")[1].split("/")[1] + field_sep = ( + rule_yaml["check"] + .split("-F")[1] + .split(" ")[0] + .replace('"', "") + ) + + try: + awk_result = rule_yaml["result"]["string"] + + except: + awk_result = str(rule_yaml["result"]["integer"]) + awk_search = "^" + awk_search + field_sep + awk_result - - - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + oval_test = ( + oval_test + + """ - '''.format(x, rule_yaml['id'], x) - oval_object = oval_object + ''' + """.format( + x, rule_yaml["id"], x + ) + ) + oval_object = ( + oval_object + + """ {} {} 1 - '''.format(x,rule_yaml['id'],awk_file.rstrip(), awk_search) + """.format( + x, rule_yaml["id"], awk_file.rstrip(), awk_search + ) + ) x += 1 continue if "grep" in command[3] and not "pgrep" in command[3]: - - if "bannerText" in rule_yaml['check'] or "fips_" in rule_yaml['check']: - - text_to_find = rule_yaml['check'].split("=")[1].split('"')[1] - - matches = text_to_find.replace(".","\.").replace(")","\)").replace("(","\(").replace("*","\*") - - oval_definition = oval_definition + ''' - - - {} + if ( + "bannerText" in rule_yaml["check"] + or "fips_" in rule_yaml["check"] + ): + text_to_find = ( + rule_yaml["check"].split("=")[1].split('"')[1] + ) + + matches = ( + text_to_find.replace(".", "\.") + .replace(")", "\)") + .replace("(", "\(") + .replace("*", "\*") + ) + + oval_definition = ( + oval_definition + + """ + + + {} - {} + {} - + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + oval_test = ( + oval_test + + """ - '''.format(x, rule_yaml['id'], x) - + """.format( + x, rule_yaml["id"], x + ) + ) + file_path = rule_yaml["check"].split(" ")[-1].rstrip() - - oval_object = oval_object + ''' + + oval_object = ( + oval_object + + """ {} {} 1 - '''.format(x,rule_yaml['id'],file_path,matches) + """.format( + x, rule_yaml["id"], file_path, matches + ) + ) x += 1 continue else: - - s = rule_yaml['check'] - - try: - + s = rule_yaml["check"] + + try: grep_search = re.search('"(.*?)"', s).group(1) - - except: - - grep_search = re.search('\'(.*?)\'', s).group(1) - - - grep_file = rule_yaml['check'].split(grep_search,1)[1].split(" ")[1] - - - oval_definition = oval_definition + ''' - - - {} + + except: + grep_search = re.search("'(.*?)'", s).group(1) + + grep_file = ( + rule_yaml["check"] + .split(grep_search, 1)[1] + .split(" ")[1] + ) + + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + oval_test = ( + oval_test + + """ - '''.format(x, rule_yaml['id'], x) - oval_object = oval_object + ''' + """.format( + x, rule_yaml["id"], x + ) + ) + oval_object = ( + oval_object + + """ {} {} 1 - '''.format(x,rule_yaml['id'],grep_file.rstrip(),grep_search) + """.format( + x, rule_yaml["id"], grep_file.rstrip(), grep_search + ) + ) x += 1 continue - - if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: - - if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix']: - oval_definition = oval_definition + ''' - - - {} + + if "launchctl" in command[2] or "launchctl" in rule_yaml["fix"]: + if ( + "disable" in command[2] + and "=> true" in rule_yaml["check"] + or "unload -w" in rule_yaml["fix"] + ): + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + rule_yaml["id"], + x + 999, + ) + ) + + oval_test = ( + oval_test + + """ - - '''.format(rule_yaml['id'],x,x,x,x+999,rule_yaml['id'],x+999) - + + """.format( + rule_yaml["id"], + x, + x, + x, + x + 999, + rule_yaml["id"], + x + 999, + ) + ) + domain = str() - if "launchctl" not in rule_yaml['check']: - domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + if "launchctl" not in rule_yaml["check"]: + domain = ( + rule_yaml["fix"] + .split()[4] + .split("/")[4] + .replace(".plist", "") + ) + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - - oval_object = oval_object + ''' + + oval_object = ( + oval_object + + """ /var/db/com.apple.xpc.launchd/disabled.plist name(//*[contains(text(), "{}")]/following-sibling::*[1]) - '''.format(rule_yaml['id'],x,domain,x+999,rule_yaml['id'],domain) - + """.format( + rule_yaml["id"], + x, + domain, + x + 999, + rule_yaml["id"], + domain, + ) + ) + status = "" if "enable" in rule_yaml["fix"]: status = "false" else: status = "true" - oval_state = oval_state + ''' + oval_state = ( + oval_state + + """ {} - '''.format(rule_yaml['id'],x,status) - - elif "launchctl unload" in rule_yaml['fix']: - oval_definition = oval_definition + ''' - - - {} + """.format( + rule_yaml["id"], x, status + ) + ) + + elif "launchctl unload" in rule_yaml["fix"]: + oval_definition = ( + oval_definition + + """ + + + {} - {} - + {} + - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x,rule_yaml['id'],x+999) - - oval_test = oval_test + ''' + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + rule_yaml["id"], + x + 999, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(x,rule_yaml['id'],x) - + """.format( + x, rule_yaml["id"], x + ) + ) + domain = str() - - if "launchctl" not in rule_yaml['check']: - domain = rule_yaml['fix'].split()[4].split('/')[4].replace(".plist","") - + + if "launchctl" not in rule_yaml["check"]: + domain = ( + rule_yaml["fix"] + .split()[4] + .split("/")[4] + .replace(".plist", "") + ) + else: s = command[5].split()[2] domain = re.search('"(.*?)"', s).group(1) - - oval_object = oval_object + ''' + + oval_object = ( + oval_object + + """ - '''.format(x, rule_yaml['id'],domain) - + """.format( + x, rule_yaml["id"], domain + ) + ) + else: - - oval_definition = oval_definition + ''' - - - {} + oval_definition = ( + oval_definition + + """ + + + {} - {} - - + {} + + - - '''.format(x,rule_yaml['title'],rule_yaml['references']['cce'][0],rule_yaml['id'],rule_yaml['discussion'].rstrip(),rule_yaml['id'],x) - - oval_test = oval_test + ''' + + """.format( + x, + rule_yaml["title"], + rule_yaml["references"]["cce"][0], + rule_yaml["id"], + rule_yaml["discussion"].rstrip(), + rule_yaml["id"], + x, + ) + ) + + oval_test = ( + oval_test + + """ - '''.format(x,rule_yaml['id'],x) + """.format( + x, rule_yaml["id"], x + ) + ) domain = command[5].split()[2] - domain = domain.replace('"','').replace("'",'') + domain = domain.replace('"', "").replace("'", "") - oval_object = oval_object + ''' + oval_object = ( + oval_object + + """ - '''.format(x,rule_yaml['id'],domain) + """.format( + x, rule_yaml["id"], domain + ) + ) x += 1 - continue - - total_oval = ovalPrefix + "\n\n" + oval_definition + "\n\n\n" + oval_test + "\n\n\n" + oval_object + "\n\n" + continue + + total_oval = ( + ovalPrefix + + "\n\n" + + oval_definition + + "\n\n\n" + + oval_test + + "\n\n\n" + + oval_object + + "\n\n" + ) if oval_state != "": total_oval = total_oval + "\n" + oval_state + "\n\n" if oval_variable != "": - total_oval = total_oval + "\n\n" + oval_variable + "\n\n" - + total_oval = ( + total_oval + "\n\n" + oval_variable + "\n\n" + ) + total_oval = total_oval + "\n" - - final_oval = re.sub('(?=\n\[NOTE\])(?s)(.*)\=\n$.*', '<', total_oval) - + + final_oval = re.sub("(?=\n\[NOTE\])(?s)(.*)\=\n$.*", "<", total_oval) + oval_file = output - with open(oval_file + "temp",'w') as rite: + with open(oval_file + "temp", "w") as rite: rite.write(final_oval) - cmd = shutil.which('xmllint') + cmd = shutil.which("xmllint") rite.close() if cmd == None: try: @@ -2171,10 +3520,11 @@ def main(): print("Error writing Oval file.") else: cmd = cmd + " " + oval_file + "temp --format --output " + oval_file - + os.popen(cmd).read() if os.path.exists(oval_file): os.remove(oval_file + "temp") - + + if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/scripts/mac b/scripts/mac index 790593c..424e7c2 100644 --- a/scripts/mac +++ b/scripts/mac @@ -189,4 +189,4 @@ if [ -f "$HOME/.laptop.local" ]; then fancy_echo "Running your customizations from ~/.laptop.local ..." # shellcheck disable=SC1091 . "$HOME/.laptop.local" -fi \ No newline at end of file +fi diff --git a/scripts/macos-dns.sh b/scripts/macos-dns.sh index cf4bc9c..da44310 100644 --- a/scripts/macos-dns.sh +++ b/scripts/macos-dns.sh @@ -7,4 +7,4 @@ d.remove ServerAddress d.add ServerAddresses * 127.0.0.1 ::1 set State:/Network/Service/gpd.pan/DNS exit -EOF \ No newline at end of file +EOF diff --git a/scripts/pf-blocklist.sh b/scripts/pf-blocklist.sh index c0ea333..cb71579 100644 --- a/scripts/pf-blocklist.sh +++ b/scripts/pf-blocklist.sh @@ -26,7 +26,7 @@ printf "\n" if [[ "${action}" =~ ^([yY])$ ]] ; then rm $threats $blocklist 2>/dev/null touch $threats - + printf "Checking threats ..." curl -sq \ "https://pgl.yoyo.org/adservers/iplist.php?ipformat=&showintro=0&mimetype=plaintext" \ @@ -40,14 +40,14 @@ if [[ "${action}" =~ ^([yY])$ ]] ; then grep -Ev "^192\.168\.|^10\.|172\.16\.|127\.0\.0\.0|0\.0\.0\.0|^#|#$" | \ grep -E "^[0-9]" >> $threats wc -l $threats - + sort $threats | uniq > $blocklist wc -l $blocklist - + if [[ ! -s $blocklist ]] ; then printf "Error: empty blocklist\n" ; exit 1 fi - + sudo cp -v /etc/pf/blocklist /etc/pf/blocklist.$(date +%F) && sudo cp -v ./$blocklist /etc/pf/blocklist sudo pfctl -e -f /etc/pf.conf printf "\nnew rules: " diff --git a/scripts/pr.sh b/scripts/pr.sh index 742ad76..5abd992 100644 --- a/scripts/pr.sh +++ b/scripts/pr.sh @@ -125,4 +125,4 @@ git clone https://github.com/Netflix/dispatch-docker.git ## GPG ### gpg --full-generate-key -gpg --armor --export {this-is-your-gpg-key-id} \ No newline at end of file +gpg --armor --export {this-is-your-gpg-key-id} diff --git a/scripts/privacy-script.sh b/scripts/privacy-script.sh index ce03392..4bf3f61 100644 --- a/scripts/privacy-script.sh +++ b/scripts/privacy-script.sh @@ -822,7 +822,7 @@ echo '--- Remove Apple Remote Desktop Settings' sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist -sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ +sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktop # ---------------------------------------------------------- @@ -1201,4 +1201,4 @@ sudo defaults write com.apple.LaunchServices 'LSQuarantine' -bool NO echo 'Your privacy and security is now hardened 🎉💪' echo 'Press any key to exit.' -read -n 1 -s \ No newline at end of file +read -n 1 -s diff --git a/scripts/secure.sh b/scripts/secure.sh index cc96f05..ff288ed 100644 --- a/scripts/secure.sh +++ b/scripts/secure.sh @@ -119,4 +119,4 @@ Outgoing TCP SYN packets are blocked, so a TCP connection is not established and To use pf to audit "phone home" behavior of user and system-level processes, see fix-macosx/net-monitor. See drduh/config/scripts/pf-blocklist.sh for more inspiration. -# sudo cp -p /etc/pf.conf /etc/pf.conf.bak \ No newline at end of file +# sudo cp -p /etc/pf.conf /etc/pf.conf.bak diff --git a/scripts/setup.sh b/scripts/setup.sh index d889f06..4007360 100644 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -296,7 +296,7 @@ elif [[ "$cpu" == *"M1"* ]]; then else echo "Uknown system CPU chip... Skipping Docker download"; fi -brew install openssl; +brew install openssl; brew install readline; brew install sqlite3; brew install xz; @@ -392,4 +392,3 @@ sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install. # INSTALL FIREFOX # SET FIREFOX CONFIG SETTINGS # MAKE FIREFOX DEFAULT BROWSER - diff --git a/scripts/subcommand.sh b/scripts/subcommand.sh index 6652eff..1f6517d 100644 --- a/scripts/subcommand.sh +++ b/scripts/subcommand.sh @@ -15,7 +15,7 @@ set -o pipefail # exit on pipe failure ################################################################################ function import(){ declare -r command_name=$1; - + if ! which $command_name > /dev/null 2>&1; then echo $command_name not found. echo Make sure you have installed it. @@ -53,7 +53,7 @@ function main_help(){ printf "%-23s %s\n" "version" "show version of this script"; printf "%-23s %s\n" "encrypt" "encrypt values of selected keys"; printf "%-23s %s\n" "decrypt" "decrypt values of selected keys"; - + exit ${1:-0}; } @@ -74,12 +74,12 @@ function encrypt(){ if [[ ${#} == 0 ]]; then encrypt_help; fi - + local __filename=''; local __salt=''; local __anchor=false; local error_message=''; - + while [ ${#} -gt 0 ]; do error_message="Error: a value is needed for '$1'"; case $1 in @@ -101,11 +101,11 @@ function encrypt(){ ;; esac done - + echo filename: ${__filename:-empty}; echo salt: ${__salt:-empty}; echo anchor: $__anchor; - + exit 0; } @@ -121,12 +121,12 @@ function decrypt(){ if [[ ${#} == 0 ]]; then decrypt_help; fi - + local __filename=''; local __salt=''; local __anchor=false; local error_message=''; - + while [ ${#} -gt 0 ]; do error_message="Error: a value is needed for '$1'"; case $1 in @@ -148,11 +148,11 @@ function decrypt(){ ;; esac done - + echo filename: ${__filename:-empty}; echo salt: ${__salt:-empty}; echo anchor: $__anchor; - + exit 0; } @@ -161,7 +161,7 @@ function main(){ if (( ${#} == 0 )); then main_help 0; fi - + case ${1} in help | version | encrypt | decrypt ) $1 "${@:2}"; @@ -174,4 +174,4 @@ function main(){ esac } -main "$@"; \ No newline at end of file +main "$@"; diff --git a/torrc b/torrc index 95fe744..c166259 100644 --- a/torrc +++ b/torrc @@ -24,4 +24,4 @@ Log notice file /var/log/tor/notices.log #CookieAuthentication 1 #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C #HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 \ No newline at end of file +#HiddenServicePort 80 127.0.0.1:80 diff --git a/user.js b/user.js index c3eaab9..034b0ff 100644 --- a/user.js +++ b/user.js @@ -13,24 +13,28 @@ * https://github.com/arkenfox/user.js/wiki 3. If you skipped step 2, return to step 2 4. Make changes in a user-overrides.js - * There are often trade-offs and conflicts between security vs privacy vs anti-tracking - and these need to be balanced against functionality & convenience & breakage - * Some site breakage and unintended consequences will happen. Everyone's experience will differ - e.g. some user data is erased on exit (section 2800), change this to suit your needs + * There are often trade-offs and conflicts between security vs privacy vs +anti-tracking and these need to be balanced against functionality & convenience +& breakage + * Some site breakage and unintended consequences will happen. Everyone's +experience will differ e.g. some user data is erased on exit (section 2800), +change this to suit your needs * While not 100% definitive, search for "[SETUP" tags e.g. third party images/videos not loading on some sites? check 1601 5. Some tag info [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break - [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) + [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly +website related) 6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080 * RELEASES: https://github.com/arkenfox/user.js/releases - * It is best to use the arkenfox release that is optimized for and matches your Firefox version + * It is best to use the arkenfox release that is optimized for and matches +your Firefox version * EVERYONE: each release - - run prefsCleaner to reset prefs made inactive, including deprecated (9999s) - ESR102 + - run prefsCleaner to reset prefs made inactive, including deprecated +(9999s) ESR102 - If you are not using arkenfox v102-1... (not a definitive list) - 2815: clearOnShutdown cookies + offlineApps should be false - 9999: switch the appropriate deprecated section(s) back on @@ -67,11 +71,14 @@ ******/ /* START: internal custom pref to test for syntax errors - * [NOTE] Not all syntax errors cause parsing to abort i.e. reaching the last debug pref - * no longer necessarily means that all prefs have been applied. Check the console right - * after startup for any warnings/error messages related to non-applied prefs - * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/ -user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); + * [NOTE] Not all syntax errors cause parsing to abort i.e. reaching the last + * debug pref no longer necessarily means that all prefs have been applied. + * Check the console right after startup for any warnings/error messages related + * to non-applied prefs [1] + * https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ + * ***/ +user_pref("_user.js.parrot", + "START: Oh yes, the Norwegian Blue... what's wrong with it?"); /* 0000: disable about:config warning ***/ user_pref("browser.aboutConfig.showWarning", false); @@ -80,8 +87,8 @@ user_pref("browser.aboutConfig.showWarning", false); user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); /* 0102: set startup page [SETUP-CHROME] * 0=blank, 1=home, 2=last visited page, 3=resume previous session - * [NOTE] Session Restore is cleared with history (2811), and not used in Private Browsing mode - * [SETTING] General>Startup>Restore previous session ***/ + * [NOTE] Session Restore is cleared with history (2811), and not used in + * Private Browsing mode [SETTING] General>Startup>Restore previous session ***/ user_pref("browser.startup.page", 0); /* 0103: set HOME+NEWWINDOW page * about:home=Firefox Home (default, see 0105), custom URL, about:blank @@ -93,33 +100,44 @@ user_pref("browser.startup.homepage", "about:blank"); user_pref("browser.newtabpage.enabled", false); /* 0105: disable sponsored content on Firefox Home (Activity Stream) * [SETTING] Home>Firefox Home Content ***/ -user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [FF58+] Pocket > Sponsored Stories -user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] Sponsored shortcuts +user_pref("browser.newtabpage.activity-stream.showSponsored", + false); // [FF58+] Pocket > Sponsored Stories +user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", + false); // [FF83+] Sponsored shortcuts /* 0106: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ -user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); -/* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+] - * Optionally enable logging to the console (defaults to false) ***/ -user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); - // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] +user_pref("_user.js.parrot", + "0200 syntax error: the parrot's definitely deceased!"); +/* 0201: use Mozilla geolocation service instead of Google if permission is + * granted [FF74+] Optionally enable logging to the console (defaults to false) + * ***/ +user_pref( + "geo.provider.network.url", + "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); +// user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] /* 0202: disable using the OS's geolocation service ***/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] -user_pref("geo.provider.use_corelocation", false); // [MAC] -user_pref("geo.provider.use_gpsd", false); // [LINUX] -user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX] +user_pref("geo.provider.use_corelocation", false); // [MAC] +user_pref("geo.provider.use_gpsd", false); // [LINUX] +user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX] /* 0203: disable region updates - * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ -user_pref("browser.region.update.enabled", false); // [FF79+] - // user_pref("browser.region.network.url", ""); // [FF78+] Defense-in-depth + * [1] + * https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html + * ***/ +user_pref("browser.region.update.enabled", + false); // [FF79+] + // user_pref("browser.region.network.url", ""); // [FF78+] + // Defense-in-depth /* 0204: set search region - * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/ - // user_pref("browser.search.region", "US"); // [HIDDEN PREF] + * [NOTE] May not be hidden if Firefox has changed your settings due to your + * region (0203) ***/ +// user_pref("browser.search.region", "US"); // [HIDDEN PREF] /* 0210: set preferred language for displaying pages - * [SETTING] General>Language and Appearance>Language>Choose your preferred language... - * [TEST] https://addons.mozilla.org/about ***/ + * [SETTING] General>Language and Appearance>Language>Choose your preferred + * language... [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); /* 0211: use en-US locale regardless of the system or region locale * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1] @@ -128,16 +146,20 @@ user_pref("intl.accept_languages", "en-US, en"); user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIETER FOX ***/ -user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); +user_pref("_user.js.parrot", + "0300 syntax error: the parrot's not pinin' for the fjords!"); /** RECOMMENDATIONS ***/ -/* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ +/* 0320: disable recommendation pane in about:addons (uses Google Analytics) + * ***/ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] -/* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ +/* 0321: disable recommendations in about:addons' Extensions and Themes panes + * [FF68+] ***/ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); -/* 0322: disable personalized Extension Recommendations in about:addons and AMO [FF65+] - * [NOTE] This pref has no effect when Health Reports (0331) are disabled - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations - * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/ +/* 0322: disable personalized Extension Recommendations in about:addons and AMO + * [FF65+] [NOTE] This pref has no effect when Health Reports (0331) are + * disabled [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow + * Firefox to make personalized extension recommendations [1] + * https://support.mozilla.org/kb/personalized-extension-recommendations ***/ user_pref("browser.discovery.enabled", false); /** TELEMETRY ***/ @@ -146,28 +168,35 @@ user_pref("browser.discovery.enabled", false); * [1] https://bugzilla.mozilla.org/1195552 ***/ user_pref("datareporting.policy.dataSubmissionEnabled", false); /* 0331: disable Health Reports - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/ + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to + * send technical... data ***/ user_pref("datareporting.healthreport.uploadEnabled", false); /* 0332: disable telemetry * The "unified" pref affects the behavior of the "enabled" pref * - If "unified" is false then "enabled" controls the telemetry module - * - If "unified" is true then "enabled" only controls whether to record extended data - * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2] - * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html - * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ + * - If "unified" is true then "enabled" only controls whether to record + * extended data [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect + * prerelease (true) or release builds (false) [2] [1] + * https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html + * [2] + * https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 + * ***/ user_pref("toolkit.telemetry.unified", false); user_pref("toolkit.telemetry.enabled", false); // see [NOTE] user_pref("toolkit.telemetry.server", "data:,"); user_pref("toolkit.telemetry.archive.enabled", false); -user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+] +user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+] user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+] -user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+] -user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter +user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+] +user_pref("toolkit.telemetry.bhrPing.enabled", + false); // [FF57+] Background Hang Reporter user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+] /* 0333: disable Telemetry Coverage - * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/ + * [1] + * https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ + * ***/ user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] -user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF] +user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF] user_pref("toolkit.coverage.endpoint.base", ""); /* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+] * Defense-in-depth: currently covered by 0331 ***/ @@ -178,7 +207,8 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false); /** STUDIES ***/ /* 0340: disable Studies - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/ + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to + * install and run studies ***/ user_pref("app.shield.optoutstudies.enabled", false); /* 0341: disable Normandy/Shield [FF60+] * Shield is a telemetry system that can push and test "recipes" @@ -189,15 +219,21 @@ user_pref("app.normandy.api_url", ""); /** CRASH REPORTS ***/ /* 0350: disable Crash Reports ***/ user_pref("breakpad.reportURL", ""); -user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] - // user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false] +user_pref("browser.tabs.crashReporting.sendReport", + false); // [FF44+] + // user_pref("browser.crashReports.unsubmittedCheck.enabled", + // false); // [FF51+] [DEFAULT: false] /* 0351: enforce no submission of backlogged Crash Reports [FF58+] - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ -user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to + * send backlogged crash reports ***/ +user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", + false); // [DEFAULT: false] /** OTHER ***/ /* 0360: disable Captive Portal detection - * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy ***/ + * [1] + * https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy + * ***/ user_pref("captivedetect.canonicalURL", ""); user_pref("network.captive-portal-service.enabled", false); // [FF52+] /* 0361: disable Network Connectivity checks [FF65+] @@ -205,216 +241,257 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+] user_pref("network.connectivity-service.enabled", false); /*** [SECTION 0400]: SAFE BROWSING (SB) - SB has taken many steps to preserve privacy. If required, a full url is never sent - to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes. - Firefox takes measures such as stripping out identifying parameters and since SBv4 (FF57+) - doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) + SB has taken many steps to preserve privacy. If required, a full url is never +sent to Google, only a part-hash of the prefix, hidden with noise of other real +part-hashes. Firefox takes measures such as stripping out identifying parameters +and since SBv4 (FF57+) doesn't even use cookies. (#Turn on +browser.safebrowsing.debug to monitor this activity) [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [2] https://wiki.mozilla.org/Security/Safe_Browsing - [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work - [4] https://educatedguesswork.org/posts/safe-browsing-privacy/ + [3] +https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work [4] +https://educatedguesswork.org/posts/safe-browsing-privacy/ ***/ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); /* 0401: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches - * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content ***/ - // user_pref("browser.safebrowsing.malware.enabled", false); - // user_pref("browser.safebrowsing.phishing.enabled", false); + * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive + * content ***/ +// user_pref("browser.safebrowsing.malware.enabled", false); +// user_pref("browser.safebrowsing.phishing.enabled", false); /* 0402: disable SB checks for downloads (both local lookups + remote) * This is the master switch for the safebrowsing.downloads* prefs (0403, 0404) * [SETTING] Privacy & Security>Security>... "Block dangerous downloads" ***/ - // user_pref("browser.safebrowsing.downloads.enabled", false); +// user_pref("browser.safebrowsing.downloads.enabled", false); /* 0403: disable SB checks for downloads (remote) - * To verify the safety of certain executable files, Firefox may submit some information about the - * file, including the name, origin, size and a cryptographic hash of the contents, to the Google - * Safe Browsing service which helps Firefox determine whether or not the file should be blocked - * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/ + * To verify the safety of certain executable files, Firefox may submit some + * information about the file, including the name, origin, size and a + * cryptographic hash of the contents, to the Google Safe Browsing service which + * helps Firefox determine whether or not the file should be blocked + * [SETUP-SECURITY] If you do not understand this, or you want this protection, + * then override this ***/ user_pref("browser.safebrowsing.downloads.remote.enabled", false); - // user_pref("browser.safebrowsing.downloads.remote.url", ""); // Defense-in-depth +// user_pref("browser.safebrowsing.downloads.remote.url", ""); // +// Defense-in-depth /* 0404: disable SB checks for unwanted software - * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ - // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); - // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); + * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and + * uncommon software" ***/ +// user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", +// false); user_pref("browser.safebrowsing.downloads.remote.block_uncommon", +// false); /* 0405: disable "ignore this warning" on SB warnings [FF45+] - * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB - * [TEST] see https://github.com/arkenfox/user.js/wiki/Appendix-A-Test-Sites#-mozilla - * [1] https://bugzilla.mozilla.org/1226490 ***/ - // user_pref("browser.safebrowsing.allowOverride", false); + * If clicked, it bypasses the block for that session. This is a means for + * admins to enforce SB [TEST] see + * https://github.com/arkenfox/user.js/wiki/Appendix-A-Test-Sites#-mozilla [1] + * https://bugzilla.mozilla.org/1226490 ***/ +// user_pref("browser.safebrowsing.allowOverride", false); -/*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/ +/*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. + * clicked on] ***/ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); /* 0601: disable link prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching - * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ + * [1] + * https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control + * ***/ user_pref("network.dns.disablePrefetch", true); - // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] +// user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); -user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] +user_pref("network.predictor.enable-prefetch", + false); // [FF48+] [DEFAULT: false] /* 0604: disable link-mouseover opening connection to linked server - * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ + * [1] + * https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests + * ***/ user_pref("network.http.speculative-parallel-limit", 0); -/* 0605: disable mousedown speculative connections on bookmarks and history [FF98+] ***/ +/* 0605: disable mousedown speculative connections on bookmarks and history + * [FF98+] ***/ user_pref("browser.places.speculativeConnect.enabled", false); /* 0610: enforce no "Hyperlink Auditing" (click tracking) - * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ - // user_pref("browser.send_pings", false); // [DEFAULT: false] + * [1] + * https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ + * ***/ +// user_pref("browser.send_pings", false); // [DEFAULT: false] /*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS / IPv6 ***/ -user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); +user_pref("_user.js.parrot", + "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming - * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 - * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6 - * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an - * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, - * then this won't make much difference. If you are masking your IP, then it can only help. - * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" - * [TEST] https://ipleak.org/ - * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ + * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: + * assuming your ISP and/or router and/or website is IPv6 capable. Most sites + * will fall back to IPv4 [STATS] Firefox telemetry (Sept 2022) shows ~8% of + * successful connections are IPv6 [NOTE] This is an application level fallback. + * Disabling IPv6 is best done at an OS/network level, and/or configured + * properly in VPN setups. If you are not masking your IP, then this won't make + * much difference. If you are masking your IP, then it can only help. [NOTE] + * PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" [TEST] + * https://ipleak.org/ [1] https://www.internetsociety.org/tag/ipv6-security/ + * (Myths 2,4,5,6) ***/ user_pref("network.dns.disableIPv6", true); /* 0702: set the proxy server to do any DNS lookups when using SOCKS - * e.g. in Tor, this stops your local DNS server from knowing your Tor destination - * as a remote Tor node will handle the DNS request - * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ + * e.g. in Tor, this stops your local DNS server from knowing your Tor + * destination as a remote Tor node will handle the DNS request [1] + * https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers + * ***/ user_pref("network.proxy.socks_remote_dns", true); /* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 + * ***/ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] /* 0704: disable GIO as a potential proxy bypass vector - * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, - * dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+) - * [1] https://bugzilla.mozilla.org/1433507 - * [2] https://en.wikipedia.org/wiki/GVfs - * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/ + * Gvfs/GIO has a set of supported protocols like obex, network, archive, + * computer, dav, cdda, gphoto2, trash, etc. By default only sftp is accepted + * (FF87+) [1] https://bugzilla.mozilla.org/1433507 [2] + * https://en.wikipedia.org/wiki/GVfs [3] + * https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /* 0705: disable proxy direct failover for system requests [FF91+] * [WARNING] Default true is a security feature against malicious extensions [1] * [SETUP-CHROME] If you use a proxy and you trust your extensions - * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ - // user_pref("network.proxy.failover_direct", false); + * [1] + * https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ + * ***/ +// user_pref("network.proxy.failover_direct", false); /* 0706: disable proxy bypass for system request failures [FF95+] * RemoteSettings, UpdateService, Telemetry [1] * [WARNING] If false, this will break the fallback for some security features * [SETUP-CHROME] If you use a proxy and you understand the security impact - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/ - // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96] + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 + * ***/ +// user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96] /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] - * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off - * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3] - * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ - * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy - * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https - * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ - // user_pref("network.trr.mode", 5); + * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, + * 5=explicitly off see "doh-rollout.home-region": USA 2019, Canada 2021, + * Russia/Ukraine 2022 [3] [1] + * https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ [2] + * https://wiki.mozilla.org/Security/DOH-resolver-policy [3] + * https://support.mozilla.org/en-US/kb/firefox-dns-over-https [4] + * https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 + * ***/ +// user_pref("network.trr.mode", 5); -/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ +/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS + * ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search * Don't leak URL typos to a search engine, give an error message instead - * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] This does not affect explicit user action such as using search buttons in the - * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) - * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/ + * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret + * place.com" [NOTE] This does not affect explicit user action such as using + * search buttons in the dropdown, or using keyword search shortcuts you + * configure in options (e.g. "d" for DuckDuckGo) [SETUP-CHROME] Override this + * if you trust and use a privacy respecting search engine ***/ user_pref("keyword.enabled", false); /* 0802: disable location bar domain guessing * domain guessing intercepts DNS "hostname not found errors" and resends a - * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work - * via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com - * as the 411 for DNS errors?), privacy issues (why connect to sites you didn't - * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack), - * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/ + * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), + * does not work via Proxy Servers (different error), is a flawed use of DNS + * (TLDs: why treat .com as the 411 for DNS errors?), privacy issues (why + * connect to sites you didn't intend to), can leak sensitive data (e.g. query + * strings: e.g. Princeton attack), and is a security risk (e.g. common typos & + * malicious sites set up to exploit this) ***/ user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+] /* 0804: disable live search suggestions * [NOTE] Both must be true for the location bar to work - * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine - * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ + * [SETUP-CHROME] Override these if you trust and use a privacy respecting + * search engine [SETTING] Search>Provide search suggestions | Show search + * suggestions in address bar results ***/ user_pref("browser.search.suggest.enabled", false); user_pref("browser.urlbar.suggest.searches", false); /* 0805: disable location bar making speculative connections [FF56+] * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); -/* 0806: disable location bar leaking single words to a DNS provider **after searching** [FF78+] - * 0=never resolve, 1=use heuristics, 2=always resolve - * [1] https://bugzilla.mozilla.org/1642623 ***/ -user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // [DEFAULT: 0 FF104+] +/* 0806: disable location bar leaking single words to a DNS provider **after + * searching** [FF78+] 0=never resolve, 1=use heuristics, 2=always resolve [1] + * https://bugzilla.mozilla.org/1642623 ***/ +user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", + 0); // [DEFAULT: 0 FF104+] /* 0807: disable location bar contextual suggestions [FF92+] * [SETTING] Privacy & Security>Address Bar>Suggestions from... * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/ user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+] user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); /* 0808: disable tab-to-search [FF85+] - * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ - // user_pref("browser.urlbar.suggest.engines", false); + * Alternatively, you can exclude on a per-engine basis by unchecking them in + * Options>Search [SETTING] Privacy & Security>Address Bar>When using the + * address bar, suggest>Search engines ***/ +// user_pref("browser.urlbar.suggest.engines", false); /* 0810: disable search and form history - * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] - * [NOTE] We also clear formdata on exit (2811) - * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history - * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html - * [2] https://bugzilla.mozilla.org/381681 ***/ + * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties + * [1][2] [NOTE] We also clear formdata on exit (2811) [SETTING] Privacy & + * Security>History>Custom Settings>Remember search and form history [1] + * https://blog.mindedsecurity.com/2011/10/autocompleteagain.html [2] + * https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); /* 0820: disable coloring of visited links - * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive - * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing - * attacks. Don't forget clearing history on exit (2811). However, social engineering [2#limits][4][5] + * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. + * Slower and more expensive redraw timing attacks were largely mitigated in + * FF77+ [3]. Using RFP (4501) further hampers timing attacks. Don't forget + * clearing history on exit (2811). However, social engineering [2#limits][4][5] * and advanced targeted timing attacks could still produce usable results - * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector + * [1] + * https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector * [2] https://dbaron.org/mozilla/visited-privacy * [3] https://bugzilla.mozilla.org/1632765 - * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use) - * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/ - // user_pref("layout.css.visited_links_enabled", false); + * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki + * APPENDIX A on how to use) [5] + * https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html + * ***/ +// user_pref("layout.css.visited_links_enabled", false); /*** [SECTION 0900]: PASSWORDS - [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas + [1] +https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); /* 0903: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed * [NOTE] Username & password is still available when you enter the field - * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords - * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ + * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and + * passwords [1] + * https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ * [2] https://homes.esat.kuleuven.be/~asenol/leaky-forms/ ***/ user_pref("signon.autofillForms", false); /* 0904: disable formless login capture for Password Manager [FF51+] ***/ user_pref("signon.formlessCapture.enabled", false); -/* 0905: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+] - * hardens against potential credentials phishing - * 0 = don't allow sub-resources to open HTTP authentication credentials dialogs - * 1 = don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs - * 2 = allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ +/* 0905: limit (or disable) HTTP authentication credentials dialogs triggered by + * sub-resources [FF41+] hardens against potential credentials phishing 0 = + * don't allow sub-resources to open HTTP authentication credentials dialogs 1 = + * don't allow cross-origin sub-resources to open HTTP authentication + * credentials dialogs 2 = allow sub-resources to open HTTP authentication + * credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); -/* 0906: enforce no automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] - * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for... - * [1] https://support.mozilla.org/kb/windows-sso ***/ - // user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] +/* 0906: enforce no automatic authentication on Microsoft sites [FF91+] [WINDOWS + * 10+] [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single + * sign-on for... [1] https://support.mozilla.org/kb/windows-sso ***/ +// user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] /*** [SECTION 1000]: DISK AVOIDANCE ***/ -user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); +user_pref("_user.js.parrot", + "1000 syntax error: the parrot's gone to meet 'is maker!"); /* 1001: disable disk cache - * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this - * [NOTE] We also clear cache on exit (2811) ***/ + * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override + * this [NOTE] We also clear cache on exit (2811) ***/ user_pref("browser.cache.disk.enable", false); /* 1002: disable media cache from writing to disk in Private Browsing * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 65536); /* 1003: disable storing extra session data [SETUP-CHROME] - * define on which sites to save extra session data such as form content, cookies and POST data - * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ + * define on which sites to save extra session data such as form content, + * cookies and POST data 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ user_pref("browser.sessionstore.privacy_level", 2); -/* 1005: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] - * [1] https://bugzilla.mozilla.org/603903 ***/ +/* 1005: disable automatic Firefox start and session restore after reboot + * [FF62+] [WINDOWS] [1] https://bugzilla.mozilla.org/603903 ***/ user_pref("toolkit.winRegisterApplicationRestart", false); /* 1006: disable favicons in shortcuts * URL shortcuts use a cached randomly named .ico file which is stored in your - * profile/shortcutCache directory. The .ico remains after the shortcut is deleted - * If set to false then the shortcuts use a generic Firefox icon ***/ + * profile/shortcutCache directory. The .ico remains after the shortcut is + * deleted If set to false then the shortcuts use a generic Firefox icon ***/ user_pref("browser.shell.shortcutFavicons", false); /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) @@ -422,50 +499,58 @@ user_pref("browser.shell.shortcutFavicons", false); [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html [TEST] https://browserleaks.com/ssl [TEST] https://ja3er.com/ - [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ + [1] +https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ ***/ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ /* 1201: require safe negotiation - * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a - * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations - * but the problem is that the browser can't know that. Setting this pref to true is the only way for the - * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server - * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? - * [STATS] SSL Labs (Sept 2022) reports over 99.3% of top sites have secure renegotiation [4] - * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://datatracker.ietf.org/doc/html/rfc5746 - * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 - * [4] https://www.ssllabs.com/ssl-pulse/ ***/ + * Blocks connections to servers that don't support RFC 5746 [2] as they're + * potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be + * safe from the attack if it disables renegotiations but the problem is that + * the browser can't know that. Setting this pref to true is the only way for + * the browser to ensure there will be no unsafe renegotiations on the channel + * between the browser and the server [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: + * is it worth overriding this for that one site? [STATS] SSL Labs (Sept 2022) + * reports over 99.3% of top sites have secure renegotiation [4] [1] + * https://wiki.mozilla.org/Security:Renegotiation [2] + * https://datatracker.ietf.org/doc/html/rfc5746 [3] + * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 [4] + * https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] - * This data is not forward secret, as it is encrypted solely under keys derived using - * the offered PSK. There are no guarantees of non-replay between connections - * [1] https://github.com/tlswg/tls13-spec/issues/1001 - * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt + * This data is not forward secret, as it is encrypted solely under keys derived + * using the offered PSK. There are no guarantees of non-replay between + * connections [1] https://github.com/tlswg/tls13-spec/issues/1001 [2] + * https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); -/** OCSP (Online Certificate Status Protocol) +/** +OCSP (Online Certificate Status Protocol) [1] https://scotthelme.co.uk/revocation-is-broken/ [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -***/ +** +*/ /* 1211: enforce OCSP fetching to confirm current validity of certificates * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only - * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) - * It's a trade-off between security (checking) and privacy (leaking info to the CA) - * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... - * [1] https://en.wikipedia.org/wiki/Ocsp ***/ + * OCSP (non-stapled) leaks information about the sites you visit to the CA + * (cert authority) It's a trade-off between security (checking) and privacy + * (leaking info to the CA) [NOTE] This pref only controls OCSP fetching and + * does not affect OCSP stapling [SETTING] Privacy & + * Security>Security>Certificates>Query OCSP responder servers... [1] + * https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ + * When a CA cannot be reached to validate a cert, Firefox just continues the + * connection (=soft-fail) Setting this pref to true tells Firefox to instead + * terminate the connection (=hard-fail) It is pointless to soft-fail when an + * OCSP fetch fails: you cannot confirm a cert is still valid (it could have + * been revoked) and/or you could be under attack (e.g. malicious blocking of + * OCSP servers) [1] + * https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ [2] + * https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ user_pref("security.OCSP.require", true); /** CERTS / HPKP (HTTP Public Key Pinning) ***/ @@ -473,41 +558,48 @@ user_pref("security.OCSP.require", true); * 0=disable detecting Family Safety mode and importing the root * 1=only attempt to detect Family Safety mode (don't import the root) * 2=detect Family Safety mode and import the root - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 + * ***/ user_pref("security.family_safety.mode", 0); /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict - * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: If you rely on an AV (antivirus) to protect - * your web browsing by inspecting ALL your web traffic, then override to current default ***/ + * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: If you rely on an AV + * (antivirus) to protect your web browsing by inspecting ALL your web traffic, + * then override to current default ***/ user_pref("security.cert_pinning.enforcement_level", 2); /* 1224: enable CRLite [FF73+] * 0 = disabled * 1 = consult CRLite but only collect telemetry * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results - * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (FF99+, default FF100+) - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 - * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ + * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for + * "Revoked" (FF99+, default FF100+) [1] + * https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 [2] + * https://blog.mozilla.org/security/tag/crlite/ ***/ user_pref("security.remote_settings.crlite_filters.enabled", true); user_pref("security.pki.crlite_mode", 2); /** MIXED CONTENT ***/ /* 1241: disable insecure passive content (such as images) on https pages ***/ - // user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244) +// user_pref("security.mixed_content.block_display_content", true); // +// Defense-in-depth (see 1244) /* 1244: enable HTTPS-Only mode in all windows [FF76+] - * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) - * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site") - * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) - * [TEST] http://example.com [upgrade] - * [TEST] http://httpforever.com/ [no upgrade] ***/ -user_pref("dom.security.https_only_mode", true); // [FF76+] - // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] + * When the top-level is HTTPS, insecure subresources are also upgraded (silent + * fail) [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after + * "Continue to HTTP Site") [SETTING] Privacy & Security>HTTPS-Only Mode (and + * manage exceptions) [TEST] http://example.com [upgrade] [TEST] + * http://httpforever.com/ [no upgrade] ***/ +user_pref( + "dom.security.https_only_mode", + true); // [FF76+] + // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ - // user_pref("dom.security.https_only_mode.upgrade_local", true); +// user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] - * When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox sends - * a top-level HTTP request without path in order to check if the server supports HTTPS or not - * This is done to avoid waiting for a timeout which takes 90 seconds - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ + * When attempting to upgrade, if the server doesn't respond within 3 seconds, + * Firefox sends a top-level HTTP request without path in order to check if the + * server supports HTTPS or not This is done to avoid waiting for a timeout + * which takes 90 seconds [1] + * https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); /** UI (User Interface) ***/ @@ -518,33 +610,37 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1272: display advanced information on Insecure Connection warning pages * only works when it's possible to add an exception - * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) - * [TEST] https://expired.badssl.com/ ***/ + * i.e. it doesn't work for HSTS discrepancies + * (https://subdomain.preloaded-hsts.badssl.com/) [TEST] + * https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+] - * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed - * In normal windows: uses the first applicable: RFP (4506) over TP over Standard - * In Private Browsing windows: uses the most restrictive between normal and private - * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts - * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ - // user_pref("layout.css.font-visibility.private", 1); - // user_pref("layout.css.font-visibility.standard", 1); - // user_pref("layout.css.font-visibility.trackingprotection", 1); + * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled + * fonts are auto-allowed In normal windows: uses the first applicable: RFP + * (4506) over TP over Standard In Private Browsing windows: uses the most + * restrictive between normal and private 1=only base system fonts, 2=also fonts + * from optional language packs, 3=also user-installed fonts [1] + * https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ +// user_pref("layout.css.font-visibility.private", 1); +// user_pref("layout.css.font-visibility.standard", 1); +// user_pref("layout.css.font-visibility.trackingprotection", 1); /*** [SECTION 1600]: HEADERS / REFERERS full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 - [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ + [1] +https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: control when to send a cross-origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram - * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/ + * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, + * icloud, instagram If "2" is too strict, then override to "0" and use Smart + * Referer extension (Strict mode + add exceptions) ***/ user_pref("network.http.referer.XOriginPolicy", 2); /* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ @@ -557,22 +653,24 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); * https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/ user_pref("privacy.userContext.enabled", true); user_pref("privacy.userContext.ui.enabled", true); -/* 1702: set behavior on "+ Tab" button to display container menu on left click [FF74+] - * [NOTE] The menu is always shown on long press and right click - * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ - // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); +/* 1702: set behavior on "+ Tab" button to display container menu on left click + * [FF74+] [NOTE] The menu is always shown on long press and right click + * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for + * each new tab ***/ +// user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); /* 2001: disable WebRTC (Web Real-Time Communication) * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the - * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after - * you grant device (microphone or camera) access - * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC - * [TEST] https://browserleaks.com/webrtc - * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ - * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ - // user_pref("media.peerconnection.enabled", false); + * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. + * after you grant device (microphone or camera) access [SETUP-HARDEN] Test + * first. Windows7/8 users only: behind a proxy who never use WebRTC [TEST] + * https://browserleaks.com/webrtc [1] + * https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ [2] + * https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 + * ***/ +// user_pref("media.peerconnection.enabled", false); /* 2002: force WebRTC inside the proxy [FF70+] ***/ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); /* 2003: force a single network interface for ICE candidates generation [FF42+] @@ -581,33 +679,37 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ user_pref("media.peerconnection.ice.default_address_only", true); /* 2004: force exclusion of private IPs from ICE candidates [FF51+] - * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios after you - * grant device access, but often results in breakage on video-conferencing platforms ***/ - // user_pref("media.peerconnection.ice.no_host", true); + * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios + * after you grant device access, but often results in breakage on + * video-conferencing platforms ***/ +// user_pref("media.peerconnection.ice.no_host", true); /* 2020: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ - // user_pref("media.gmp-provider.enabled", false); +// user_pref("media.gmp-provider.enabled", false); /* 2021: disable widevine CDM (Content Decryption Module) * [NOTE] This is covered by the EME master switch (2022) ***/ - // user_pref("media.gmp-widevinecdm.enabled", false); +// user_pref("media.gmp-widevinecdm.enabled", false); /* 2022: disable all DRM content (EME: Encryption Media Extension) * Optionally hide the setting which also disables the DRM prompt - * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - * [SETTING] General>DRM Content>Play DRM-controlled content - * [TEST] https://bitmovin.com/demos/drm - * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ + * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, + * DirectTV [SETTING] General>DRM Content>Play DRM-controlled content [TEST] + * https://bitmovin.com/demos/drm [1] + * https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next + * ***/ user_pref("media.eme.enabled", false); - // user_pref("browser.eme.ui.enabled", false); +// user_pref("browser.eme.ui.enabled", false); /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/ -user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); +user_pref("_user.js.parrot", + "2400 syntax error: the parrot's kicked the bucket!"); /* 2402: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2600]: MISCELLANEOUS ***/ -user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); +user_pref("_user.js.parrot", + "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] * [1] https://support.mozilla.org/kb/accessibility-services ***/ user_pref("accessibility.force_disabled", 1); @@ -619,51 +721,60 @@ user_pref("beacon.enabled", false); user_pref("browser.helperApps.deleteTempFileOnExit", true); /* 2604: disable page thumbnail collection ***/ user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] -/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ +/* 2606: disable UITour backend so there is no chance that a remote page can use + * it ***/ user_pref("browser.uitour.enabled", false); - // user_pref("browser.uitour.url", ""); // Defense-in-depth +// user_pref("browser.uitour.url", ""); // Defense-in-depth /* 2608: reset remote debugging to disabled - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 + * ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2611: disable middle mouse click opening links from clipboard - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 + * ***/ user_pref("middlemouse.contentLoadURL", false); /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+] * 0 (default) or 1=allow, 2=block - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ - // user_pref("permissions.default.shortcuts", 2); + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard + * Shortcuts ***/ +// user_pref("permissions.default.shortcuts", 2); /* 2616: remove special permissions for certain mozilla domains [FF35+] * [1] resource://app/defaults/permissions ***/ user_pref("permissions.manager.defaultsUrl", ""); /* 2617: remove webchannel whitelist ***/ user_pref("webchannel.allowObject.urlWhitelist", ""); -/* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing - * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded - * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) - * [1] https://wiki.mozilla.org/IDN_Display_Algorithm - * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack - * [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox - * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ +/* 2619: use Punycode in Internationalized Domain Names to eliminate possible + * spoofing [SETUP-WEB] Might be undesirable for non-latin alphabet users since + * legitimate IDN's are also punycoded [TEST] https://www.xn--80ak6aa92e.com/ + * (www.apple.com) [1] https://wiki.mozilla.org/IDN_Display_Algorithm [2] + * https://en.wikipedia.org/wiki/IDN_homograph_attack [3] + * https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox [4] + * https://www.xudongz.com/blog/2017/idn-phishing/ ***/ user_pref("network.IDN_show_punycode", true); /* 2620: enforce PDFJS, disable PDFJS scripting - * This setting controls if the option "Display in Firefox" is available in the setting below - * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1] - * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). - * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. - * [NOTE] JS can still force a pdf to open in-browser by bundling its own code - * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons - * [SETTING] General>Applications>Portable Document Format (PDF) - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ -user_pref("pdfjs.disabled", false); // [DEFAULT: false] + * This setting controls if the option "Display in Firefox" is available in the + * setting below and by effect controls whether PDFs are handled in-browser or + * externally ("Ask" or "Open With") [WHY] pdfjs is lightweight, open source, + * and secure: the last exploit was June 2015 [1] It doesn't break "state + * separation" of browser content (by not sharing with OS, independent apps). It + * maintains disk avoidance and application data isolation. It's convenient. You + * can still save to disk. [NOTE] JS can still force a pdf to open in-browser by + * bundling its own code [SETUP-CHROME] You may prefer a different pdf reader + * for security/workflow reasons [SETTING] General>Applications>Portable + * Document Format (PDF) [1] + * https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ +user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] -/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ +/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] + * ***/ user_pref("network.protocol-handler.external.ms-windows-store", false); /* 2623: disable permissions delegation [FF73+] * Currently applies to cross-origin geolocation, camera, mic and screen-sharing * permissions, and fullscreen requests. Disabling delegation means any prompts * for these will show/use their correct 3rd party origin - * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ + * [1] + * https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion + * ***/ user_pref("permissions.delegation.enabled", false); /** DOWNLOADS ***/ @@ -675,112 +786,136 @@ user_pref("browser.download.useDownloadDir", false); user_pref("browser.download.alwaysOpenPanel", false); /* 2653: disable adding downloads to the system's "recent documents" list ***/ user_pref("browser.download.manager.addToRecentDocs", false); -/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+] - * [SETTING] General>Files and Applications>What should Firefox do with other files ***/ +/* 2654: enable user interaction for security by always asking how to handle new + * mimetypes [FF101+] [SETTING] General>Files and Applications>What should + * Firefox do with other files ***/ user_pref("browser.download.always_ask_before_handling_new_types", true); /** EXTENSIONS ***/ /* 2660: lock down allowed extension directories - * [SETUP-CHROME] This will break extensions, language packs, themes and any other - * XPI files which are installed outside of profile and application directories - * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ - * [1] https://archive.is/DYjAM (archived) ***/ -user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] + * [SETUP-CHROME] This will break extensions, language packs, themes and any + * other XPI files which are installed outside of profile and application + * directories [1] + * https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ [1] + * https://archive.is/DYjAM (archived) ***/ +user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] /* 2661: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); -/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ - // user_pref("extensions.webextensions.restrictedDomains", ""); +/* 2662: disable webextension restrictions on certain mozilla domains (you also + * need 4503) [FF60+] [1] + * https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 + * ***/ +// user_pref("extensions.webextensions.restrictedDomains", ""); /*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/ -user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); +user_pref( + "_user.js.parrot", + "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: enable ETP Strict Mode [FF86+] * ETP Strict Mode enables Total Cookie Protection (TCP) - * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of - * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared - * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ + * [NOTE] Adding site exceptions disables all ETP protections for that site and + * increases the risk of cross-site state tracking e.g. exceptions for SiteA and + * SiteB means PartyC on both sites is shared [1] + * https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ * [SETTING] to add site exceptions: Urlbar>ETP Shield - * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ + * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced + * Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); /* 2702: disable ETP web compat features [FF93+] - * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants - * Opener and redirect heuristics are granted for 30 days, see [3] - * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ - * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 - * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ - // user_pref("privacy.antitracking.enableWebcompat", false); + * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic + * grants Opener and redirect heuristics are granted for 30 days, see [3] [1] + * https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ [2] + * https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 [3] + * https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics + * ***/ +// user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] /* 2720: enable APS (Always Partitioning Storage) ***/ -user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+] -user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+] +user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", + true); // [FF104+] [DEFAULT: true FF109+] +user_pref( + "privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", + false); // [FF105+] [DEFAULT: false FF109+] /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ -user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); +user_pref("_user.js.parrot", + "2800 syntax error: the parrot's bleedin' demised!"); /* 2810: enable Firefox to clear items on shutdown - * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes | Settings ***/ + * [SETTING] Privacy & Security>History>Custom Settings>Clear history when + * Firefox closes | Settings ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/ -/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] - * [NOTE] If "history" is true, downloads will also be cleared - * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies - * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ +/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) + * [SETUP-CHROME] [NOTE] If "history" is true, downloads will also be cleared + * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], + * not logins via cookies [1] + * https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] - // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] +user_pref("privacy.clearOnShutdown.sessions", + true); // [DEFAULT: true] + // user_pref("privacy.clearOnShutdown.siteSettings", false); // + // [DEFAULT: false] /* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+] - * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) - * [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/ - // user_pref("privacy.clearOnShutdown.openWindows", true); + * [NOTE] Not needed if Session Restore is not used (0102) or it is already + * cleared with history (2811) [NOTE] If true, this prevents resuming from + * crashes (also see 5008) ***/ +// user_pref("privacy.clearOnShutdown.openWindows", true); /** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/ -/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME] - * [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note below). - * serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for - * both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on) - * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) - * [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271) - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question) - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ -user_pref("privacy.clearOnShutdown.cookies", true); // Cookies +/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) + * [SETUP-CHROME] [NOTE] Exceptions: A "cookie" block permission also controls + * "offlineApps" (see note below). serviceWorkers require an "Allow" permission. + * For cross-domain logins, add exceptions for both sites e.g. + * https://www.youtube.com (site) + https://accounts.google.com (single sign on) + * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker + * cache, QuotaManager (IndexedDB, asm-cache) [WARNING] Be selective with what + * sites you "Allow", as they also disable partitioning (1767271) [SETTING] to + * add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in + * question) [SETTING] to manage site exceptions: Options>Privacy & + * Security>Permissions>Settings ***/ +user_pref("privacy.clearOnShutdown.cookies", true); // Cookies user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data /* 2816: set cache to clear on exit [FF96+] - * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust - * [1] https://bugzilla.mozilla.org/1671182 ***/ - // user_pref("privacy.clearsitedata.cache.enabled", true); + * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is + * more robust [1] https://bugzilla.mozilla.org/1671182 ***/ +// user_pref("privacy.clearsitedata.cache.enabled", true); /** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History - * Firefox remembers your last choices. This will reset them when you start Firefox - * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog - * for "Clear Recent History" is opened, it is synced to the same as "history" ***/ -user_pref("privacy.cpd.cache", true); // [DEFAULT: true] -user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] -user_pref("privacy.cpd.history", true); // [DEFAULT: true] -user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] + * Firefox remembers your last choices. This will reset them when you start + * Firefox [NOTE] Regardless of what you set "downloads" to, as soon as the + * dialog for "Clear Recent History" is opened, it is synced to the same as + * "history" ***/ +user_pref("privacy.cpd.cache", true); // [DEFAULT: true] +user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] +user_pref("privacy.cpd.history", true); // [DEFAULT: true] +user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] user_pref("privacy.cpd.offlineApps", false); // [DEFAULT: false] user_pref("privacy.cpd.cookies", false); - // user_pref("privacy.cpd.downloads", true); // not used, see note above - // user_pref("privacy.cpd.openWindows", false); // Session Restore - // user_pref("privacy.cpd.passwords", false); - // user_pref("privacy.cpd.siteSettings", false); +// user_pref("privacy.cpd.downloads", true); // not used, see note above +// user_pref("privacy.cpd.openWindows", false); // Session Restore +// user_pref("privacy.cpd.passwords", false); +// user_pref("privacy.cpd.siteSettings", false); /* 2822: reset default "Time range to clear" for "Clear Recent History" (2820) - * Firefox remembers your last choice. This will reset the value when you start Firefox - * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today - * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, - * which will display a blank value, and are not guaranteed to work ***/ + * Firefox remembers your last choice. This will reset the value when you start + * Firefox 0=everything, 1=last hour, 2=last two hours, 3=last four hours, + * 4=today [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed + * in the dropdown, which will display a blank value, and are not guaranteed to + * work ***/ user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. - It is an all-or-nothing buy in: you cannot pick and choose what parts you want + It is an all-or-nothing buy in: you cannot pick and choose what parts you +want [WARNING] DO NOT USE extensions to alter RFP protected metrics @@ -793,83 +928,93 @@ user_pref("privacy.sanitize.timeSpan", 0); 1369303 - spoof/disable performance API 1333651 - spoof User Agent & Navigator API version: android version spoofed as ESR - OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android - 1369319 - disable device sensor API + OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP +Headers spoofed as Windows or Android 1369319 - disable device sensor API 1369357 - disable site specific zoom 1337161 - hide gamepads from content - 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true - 1333641 - reduce fingerprinting in WebSpeech API - FF57 - 1369309 - spoof media statistics - 1382499 - reduce screen co-ordinate fingerprinting in Touch API + 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled += true 1333641 - reduce fingerprinting in WebSpeech API FF57 1369309 - spoof +media statistics 1382499 - reduce screen co-ordinate fingerprinting in Touch API 1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist FF58+ 1372073 - spoof/block fingerprinting in MediaDevices API (FF59) - Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" - Block: suppresses the ondevicechange event - 1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59) - 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59) - Spoofing mimics the content language of the document. Currently it only supports en-US. - Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. - 1337157 - disable WebGL debug renderer info (FF60) - 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62) - 1479239 - return "no-preference" with prefers-reduced-motion (FF63) - 1363508 - spoof/suppress Pointer Events (FF64) - 1492766 - spoof pointerEvent.pointerid (FF65) - 1485266 - disable exposure of system colors to CSS or canvas (FF67) + Spoof: enumerate devices as one "Internal Camera" and one "Internal +Microphone" Block: suppresses the ondevicechange event 1039069 - warn when +language prefs are not set to "en*" (also see 0210, 0211) (FF59) 1222285 & +1433592 - spoof keyboard events and suppress keyboard modifier events (FF59) + Spoofing mimics the content language of the document. Currently it only +supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome +is not affected. 1337157 - disable WebGL debug renderer info (FF60) 1459089 - +disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62) 1479239 - +return "no-preference" with prefers-reduced-motion (FF63) 1363508 - +spoof/suppress Pointer Events (FF64) 1492766 - spoof pointerEvent.pointerid +(FF65) 1485266 - disable exposure of system colors to CSS or canvas (FF67) 1494034 - return "light" with prefers-color-scheme (FF67) 1564422 - spoof audioContext outputLatency (FF70) 1595823 - return audioContext sampleRate as 44100 (FF72) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74) - 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78) - 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80) - 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82) - 531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1) - 1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100) - 1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102) + 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) +(FF78) 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, +Mac, some Linux) (FF80) 1461454 - spoof smooth=true and powerEfficient=false for +supported media in MediaCapabilities (FF82) 531915 - use fdlibm's sin, cos and +tan in jsmath (FF93, ESR91.1) 1756280 - enforce navigator.pdfViewerEnabled as +true and plugins/mimeTypes as hard-coded values (FF100) 1692609 - reduce JS +timing precision to 16.67ms (previously FF55+ was 100ms) (FF102) ***/ -user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); +user_pref("_user.js.parrot", + "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] - * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar - * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme - * [1] https://bugzilla.mozilla.org/418986 ***/ + * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site + * exception via the urlbar RFP also has a few side effects: mainly timezone is + * UTC0, and websites will prefer light theme [1] + * https://bugzilla.mozilla.org/418986 ***/ user_pref("privacy.resistFingerprinting", true); /* 4502: set new window size rounding max values [FF55+] - * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen - * [1] https://bugzilla.mozilla.org/1330882 ***/ + * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to + * 100s, to fit your screen [1] https://bugzilla.mozilla.org/1330882 ***/ user_pref("privacy.window.maxInnerWidth", 1600); user_pref("privacy.window.maxInnerHeight", 900); /* 4503: disable mozAddonManager Web API [FF57+] * [NOTE] To allow extensions to work on AMO, you also need 2662 - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ -user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] + * [1] + * https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 + * ***/ +user_pref("privacy.resistFingerprinting.block_mozAddonManager", + true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] - * Dynamically resizes the inner window by applying margins in stepped ranges [2] - * If you use the dimension pref, then it will only apply those resolutions. - * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000") - * [SETUP-WEB] This is independent of RFP (4501). If you're not using RFP, or you are but - * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable - * [WARNING] DO NOT USE: the dimension pref is only meant for testing - * [1] https://bugzilla.mozilla.org/1407366 - * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ -user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] - // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] + * Dynamically resizes the inner window by applying margins in stepped ranges + * [2] If you use the dimension pref, then it will only apply those resolutions. + * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, + * 1000x1000") [SETUP-WEB] This is independent of RFP (4501). If you're not + * using RFP, or you are but dislike the margins, then flip this pref, keeping + * in mind that it is effectively fingerprintable [WARNING] DO NOT USE: the + * dimension pref is only meant for testing [1] + * https://bugzilla.mozilla.org/1407366 [2] + * https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ +user_pref("privacy.resistFingerprinting.letterboxing", + true); // [HIDDEN PREF] + // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", + // ""); // [HIDDEN PREF] /* 4505: experimental RFP [FF91+] * [WARNING] DO NOT USE unless testing, see [1] comment 12 * [1] https://bugzilla.mozilla.org/1635603 ***/ - // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); - // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); +// user_pref("privacy.resistFingerprinting.exemptedDomains", +// "*.example.invalid"); +// user_pref("privacy.resistFingerprinting.testGranularityMask", 0); /* 4506: set RFP's font visibility level (1402) [FF94+] ***/ - // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1] +// user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: +// 1] /* 4507: disable showing about:blank as soon as possible during startup [FF60+] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); /* 4510: disable using system colors - * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] + * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system + * colors ***/ +user_pref("browser.display.use_system_colors", + false); // [DEFAULT: false NON-WINDOWS] /* 4511: enforce non-native widget theme * Security: removes/reduces system API calls, e.g. win32k API [1] * Fingerprinting: provides a uniform look and feel across platforms [2] @@ -882,149 +1027,176 @@ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true] * You can still right-click a link and open in a new window * [SETTING] General>Tabs>Open links in tabs instead of new windows * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 + * ***/ user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3] -/* 4513: set all open window methods to abide by "browser.link.open_newwindow" (4512) - * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/ +/* 4513: set all open window methods to abide by "browser.link.open_newwindow" + * (4512) [1] + * https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js + * ***/ user_pref("browser.link.open_newwindow.restriction", 0); /* 4520: disable WebGL (Web Graphics Library) - * [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/ + * [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for + * naive scripts ***/ user_pref("webgl.disabled", true); /*** [SECTION 5000]: OPTIONAL OPSEC Disk avoidance, application data isolation, eyeballs... ***/ -user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow"); +user_pref("_user.js.parrot", + "5000 syntax error: the parrot's taken 'is last bow"); /* 5001: start Firefox in PB (Private Browsing) mode - * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed - * [NOTE] The P in PB mode can be misleading: it means no "persistent" disk state such as history, - * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). - * In fact, PB mode limits or removes the ability to control some of these, and you need to quit - * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide - * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. - * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode - * [1] https://wiki.mozilla.org/Private_Browsing - * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ - // user_pref("browser.privatebrowsing.autostart", true); + * [NOTE] In this mode all windows are "private windows" and the PB mode icon is + * not displayed [NOTE] The P in PB mode can be misleading: it means no + * "persistent" disk state such as history, caches, searches, cookies, + * localStorage, IndexedDB etc (which you can achieve in normal mode). In fact, + * PB mode limits or removes the ability to control some of these, and you need + * to quit Firefox to clear them. PB is best used as a one off window (Menu>New + * Private Window) to provide a temporary self-contained new session. Close all + * Private Windows to clear the PB mode session. [SETTING] Privacy & + * Security>History>Custom Settings>Always use private browsing mode [1] + * https://wiki.mozilla.org/Private_Browsing [2] + * https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ +// user_pref("browser.privatebrowsing.autostart", true); /* 5002: disable memory cache - * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ - // user_pref("browser.cache.memory.enable", false); - // user_pref("browser.cache.memory.capacity", 0); + * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in + * kibibytes ***/ +// user_pref("browser.cache.memory.enable", false); +// user_pref("browser.cache.memory.capacity", 0); /* 5003: disable saving passwords * [NOTE] This does not clear any passwords already saved - * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ - // user_pref("signon.rememberSignons", false); + * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and + * passwords for websites ***/ +// user_pref("signon.rememberSignons", false); /* 5004: disable permissions manager from writing to disk [FF41+] [RESTART] * [NOTE] This means any permission changes are session only * [1] https://bugzilla.mozilla.org/967812 ***/ - // user_pref("permissions.memory_only", true); // [HIDDEN PREF] +// user_pref("permissions.memory_only", true); // [HIDDEN PREF] /* 5005: disable intermediate certificate caching [FF41+] [RESTART] - * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. - * Saved logins and passwords are not available. Reset the pref and restart to return them ***/ - // user_pref("security.nocertdb", true); + * [NOTE] This affects login/cert/key dbs. The effect is all credentials are + * session-only. Saved logins and passwords are not available. Reset the pref + * and restart to return them ***/ +// user_pref("security.nocertdb", true); /* 5006: disable favicons in history and bookmarks - * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your - * actual history (and bookmarks) already do. Your history is more detailed, so - * control that instead; e.g. disable history, clear history on exit, use PB mode - * [NOTE] favicons.sqlite is sanitized on Firefox close ***/ - // user_pref("browser.chrome.site_icons", false); + * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything + * that your actual history (and bookmarks) already do. Your history is more + * detailed, so control that instead; e.g. disable history, clear history on + * exit, use PB mode [NOTE] favicons.sqlite is sanitized on Firefox close ***/ +// user_pref("browser.chrome.site_icons", false); /* 5007: exclude "Undo Closed Tabs" in Session Restore ***/ - // user_pref("browser.sessionstore.max_tabs_undo", 0); +// user_pref("browser.sessionstore.max_tabs_undo", 0); /* 5008: disable resuming session from crash * [TEST] about:crashparent ***/ - // user_pref("browser.sessionstore.resume_from_crash", false); +// user_pref("browser.sessionstore.resume_from_crash", false); /* 5009: disable "open with" in download dialog [FF50+] * Application data isolation [1] * [1] https://bugzilla.mozilla.org/1281959 ***/ - // user_pref("browser.download.forbid_open_with", true); +// user_pref("browser.download.forbid_open_with", true); /* 5010: disable location bar suggestion types - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ - // user_pref("browser.urlbar.suggest.history", false); - // user_pref("browser.urlbar.suggest.bookmark", false); - // user_pref("browser.urlbar.suggest.openpage", false); - // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] + * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest + * ***/ +// user_pref("browser.urlbar.suggest.history", false); +// user_pref("browser.urlbar.suggest.bookmark", false); +// user_pref("browser.urlbar.suggest.openpage", false); +// user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] /* 5011: disable location bar dropdown - * This value controls the total number of entries to appear in the location bar dropdown ***/ - // user_pref("browser.urlbar.maxRichResults", 0); + * This value controls the total number of entries to appear in the location bar + * dropdown ***/ +// user_pref("browser.urlbar.maxRichResults", 0); /* 5012: disable location bar autofill - * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ - // user_pref("browser.urlbar.autoFill", false); + * [1] + * https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete + * ***/ +// user_pref("browser.urlbar.autoFill", false); /* 5013: disable browsing and download history * [NOTE] We also clear history and downloads on exit (2811) - * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/ - // user_pref("places.history.enabled", false); + * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and + * download history ***/ +// user_pref("places.history.enabled", false); /* 5014: disable Windows jumplist [WINDOWS] ***/ - // user_pref("browser.taskbar.lists.enabled", false); - // user_pref("browser.taskbar.lists.frequent.enabled", false); - // user_pref("browser.taskbar.lists.recent.enabled", false); - // user_pref("browser.taskbar.lists.tasks.enabled", false); +// user_pref("browser.taskbar.lists.enabled", false); +// user_pref("browser.taskbar.lists.frequent.enabled", false); +// user_pref("browser.taskbar.lists.recent.enabled", false); +// user_pref("browser.taskbar.lists.tasks.enabled", false); /* 5015: disable Windows taskbar preview [WINDOWS] ***/ - // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false] +// user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false] /* 5016: discourage downloading to desktop * 0=desktop, 1=downloads (default), 2=last used - * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ - // user_pref("browser.download.folderList", 2); + * [SETTING] To set your default "downloads": General>Downloads>Save files to + * ***/ +// user_pref("browser.download.folderList", 2); /* 5017: disable Form Autofill - * If .supportedCountries includes your region (browser.search.region) and .supported - * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON - * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ - // user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] - // user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] - // user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] + * If .supportedCountries includes your region (browser.search.region) and + * .supported is "detect" (default), then the UI will show. Stored data is not + * secure, uses JSON [NOTE] Heuristics controls Form Autofill on forms + * without @autocomplete attributes [SETTING] Privacy & Security>Forms and + * Autofill>Autofill addresses [1] + * https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ +// user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] +// user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] +// user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /*** [SECTION 5500]: OPTIONAL HARDENING Not recommended. Overriding these can cause breakage and performance issues, - they are mostly fingerprintable, and the threat model is practically nonexistent + they are mostly fingerprintable, and the threat model is practically +nonexistent ***/ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); /* 5501: disable MathML (Mathematical Markup Language) [FF51+] * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/ - // user_pref("mathml.disabled", true); // 1173199 +// user_pref("mathml.disabled", true); // 1173199 /* 5502: disable in-content SVG (Scalable Vector Graphics) [FF53+] * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/ - // user_pref("svg.disabled", true); // 1216893 +// user_pref("svg.disabled", true); // 1216893 /* 5503: disable graphite * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ - // user_pref("gfx.font_rendering.graphite.enabled", false); +// user_pref("gfx.font_rendering.graphite.enabled", false); /* 5504: disable asm.js [FF22+] * [1] http://asmjs.org/ * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ - // user_pref("javascript.options.asmjs", false); +// user_pref("javascript.options.asmjs", false); /* 5505: disable Ion and baseline JIT to harden against JS exploits * [NOTE] When both Ion and JIT are disabled, and trustedprincipals * is enabled, then Ion can still be used by extensions (1599226) * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit - * [2] https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ ***/ - // user_pref("javascript.options.ion", false); - // user_pref("javascript.options.baselinejit", false); - // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] + * [2] https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ + * ***/ +// user_pref("javascript.options.ion", false); +// user_pref("javascript.options.baselinejit", false); +// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] +// [HIDDEN PREF] /* 5506: disable WebAssembly [FF52+] - * Vulnerabilities [1] have increasingly been found, including those known and fixed - * in native programs years ago [2]. WASM has powerful low-level access, making - * certain attacks (brute-force) and vulnerabilities more possible - * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3] - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm - * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly - * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ - // user_pref("javascript.options.wasm", false); + * Vulnerabilities [1] have increasingly been found, including those known and + * fixed in native programs years ago [2]. WASM has powerful low-level access, + * making certain attacks (brute-force) and vulnerabilities more possible + * [STATS] ~0.2% of websites, about half of which are for crytopmining / + * malvertising [2][3] [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm + * [2] + * https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly + * [3] + * https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes + * ***/ +// user_pref("javascript.options.wasm", false); /* 5507: disable rendering of SVG OpenType fonts ***/ - // user_pref("gfx.font_rendering.opentype_svg.enabled", false); +// user_pref("gfx.font_rendering.opentype_svg.enabled", false); /*** [SECTION 6000]: DON'T TOUCH ***/ user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!"); /* 6001: enforce Firefox blocklist * [WHY] It includes updates for "revoked certificates" - * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ ***/ + * [1] + * https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ + * ***/ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] /* 6002: enforce no referer spoofing * [WHY] Spoofing can affect CSRF (Cross-Site Request Forgery) protections ***/ user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] -/* 6004: enforce a security delay on some confirmation dialogs such as install, open/save - * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ +/* 6004: enforce a security delay on some confirmation dialogs such as install, + * open/save [1] + * https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ + * ***/ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /* 6008: enforce no First Party Isolation [FF51+] * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), @@ -1039,174 +1211,193 @@ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] * [TEST] https://tls-v1-1.badssl.com:1010/ ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 6011: enforce disabling of Web Compatibility Reporter [FF56+] - * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla - * [WHY] To prevent wasting Mozilla's time with a custom setup ***/ + * Web Compatibility Reporter adds a "Report Site Issue" button to send data to + * Mozilla [WHY] To prevent wasting Mozilla's time with a custom setup ***/ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset items removed from arkenfox FF102+ ***/ - // user_pref("browser.newtab.preload", ""); - // user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", ""); - // user_pref("browser.newtabpage.activity-stream.feeds.snippets", ""); - // user_pref("browser.ssl_override_behavior", ""); - // user_pref("devtools.chrome.enabled", ""); - // user_pref("dom.disable_beforeunload", ""); - // user_pref("dom.disable_open_during_load", ""); - // user_pref("extensions.formautofill.available", ""); - // user_pref("extensions.formautofill.addresses.supported", ""); - // user_pref("extensions.formautofill.creditCards.available", ""); - // user_pref("extensions.formautofill.creditCards.supported", ""); +// user_pref("browser.newtab.preload", ""); +// user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", +// ""); user_pref("browser.newtabpage.activity-stream.feeds.snippets", ""); +// user_pref("browser.ssl_override_behavior", ""); +// user_pref("devtools.chrome.enabled", ""); +// user_pref("dom.disable_beforeunload", ""); +// user_pref("dom.disable_open_during_load", ""); +// user_pref("extensions.formautofill.available", ""); +// user_pref("extensions.formautofill.addresses.supported", ""); +// user_pref("extensions.formautofill.creditCards.available", ""); +// user_pref("extensions.formautofill.creditCards.supported", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ -user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); +user_pref("_user.js.parrot", + "7000 syntax error: the parrot's pushing up daisies!"); /* 7001: disable APIs * Location-Aware Browsing, Full Screen, offline cache (appCache) * [WHY] The API state is easily fingerprintable. Geo is behind a prompt (7002). - * appCache storage capability was removed in FF90. Full screen requires user interaction ***/ - // user_pref("geo.enabled", false); - // user_pref("full-screen-api.enabled", false); - // user_pref("browser.cache.offline.enable", false); + * appCache storage capability was removed in FF90. Full screen requires user + * interaction ***/ +// user_pref("geo.enabled", false); +// user_pref("full-screen-api.enabled", false); +// user_pref("browser.cache.offline.enable", false); /* 7002: set default permissions * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+] * 0=always ask (default), 1=allow, 2=block * [WHY] These are fingerprintable via Permissions API, except VR. Just add site - * exceptions as allow/block for frequently visited/annoying sites: i.e. not global - * [SETTING] to add site exceptions: Ctrl+I>Permissions> - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ - // user_pref("permissions.default.geo", 0); - // user_pref("permissions.default.camera", 0); - // user_pref("permissions.default.microphone", 0); - // user_pref("permissions.default.desktop-notification", 0); - // user_pref("permissions.default.xr", 0); // Virtual Reality + * exceptions as allow/block for frequently visited/annoying sites: i.e. not + * global [SETTING] to add site exceptions: Ctrl+I>Permissions> [SETTING] to + * manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ +// user_pref("permissions.default.geo", 0); +// user_pref("permissions.default.camera", 0); +// user_pref("permissions.default.microphone", 0); +// user_pref("permissions.default.desktop-notification", 0); +// user_pref("permissions.default.xr", 0); // Virtual Reality /* 7003: disable non-modern cipher suites [1] - * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks - * [1] https://browserleaks.com/ssl ***/ - // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+] - // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+] - // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); - // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); - // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS - // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS - // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS - // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS + * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade + * attacks [1] https://browserleaks.com/ssl ***/ +// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false +// FF109+] user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // +// [DEFAULT: false FF109+] user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", +// false); user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); +// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS +// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS +// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS +// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS /* 7004: control TLS versions * [WHY] Passive fingerprinting and security ***/ - // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] - // user_pref("security.tls.version.max", 4); +// user_pref("security.tls.version.min", 3); // [DEFAULT: 3] +// user_pref("security.tls.version.max", 4); /* 7005: disable SSL session IDs [FF36+] * [WHY] Passive fingerprinting and perf costs. These are session-only * and isolated with network partitioning (FF85+) and/or containers ***/ - // user_pref("security.ssl.disable_session_identifiers", true); +// user_pref("security.ssl.disable_session_identifiers", true); /* 7006: onions * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ - // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006 - // user_pref("network.http.referer.hideOnionSource", true); // 1305144 +// user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] +// 1382359/1744006 user_pref("network.http.referer.hideOnionSource", true); // +// 1305144 /* 7007: referers * [WHY] Only cross-origin referers (1600s) need control ***/ - // user_pref("network.http.sendRefererHeader", 2); - // user_pref("network.http.referer.trimmingPolicy", 0); +// user_pref("network.http.sendRefererHeader", 2); +// user_pref("network.http.referer.trimmingPolicy", 0); /* 7008: set the default Referrer Policy [FF59+] - * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade - * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/ - // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2] - // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] + * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, + * 3=no-referrer-when-downgrade [WHY] Defaults are fine. They can be overridden + * by a site-controlled Referrer Policy ***/ +// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2] +// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /* 7010: disable HTTP Alternative Services [FF37+] * [WHY] Already isolated with network partitioning (FF85+) ***/ - // user_pref("network.http.altsvc.enabled", false); +// user_pref("network.http.altsvc.enabled", false); /* 7011: disable website control over browser right-click context menu * [WHY] Just use Shift-Right-Click ***/ - // user_pref("dom.event.contextmenu.enabled", false); +// user_pref("dom.event.contextmenu.enabled", false); /* 7012: disable icon fonts (glyphs) and local fallback rendering * [WHY] Breakage, font fallback is equivalency, also RFP * [1] https://bugzilla.mozilla.org/789788 * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ - // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] - // user_pref("gfx.downloadable_fonts.fallback_delay", -1); +// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] +// user_pref("gfx.downloadable_fonts.fallback_delay", -1); /* 7013: disable Clipboard API * [WHY] Fingerprintable. Breakage. Cut/copy/paste require user * interaction, and paste is limited to focused editable fields ***/ - // user_pref("dom.event.clipboardevents.enabled", false); +// user_pref("dom.event.clipboardevents.enabled", false); /* 7014: disable System Add-on updates - * [WHY] It can compromise security. System addons ship with prefs, use those ***/ - // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] - // user_pref("extensions.systemAddon.update.url", ""); // [FF44+] + * [WHY] It can compromise security. System addons ship with prefs, use those + * ***/ +// user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] +// user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 7015: enable the DNT (Do Not Track) HTTP header - * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/ - // user_pref("privacy.donottrackheader.enabled", true); + * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict + * (2701) ***/ +// user_pref("privacy.donottrackheader.enabled", true); /* 7016: customize ETP settings * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/ - // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+] - // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); - // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+] - // user_pref("privacy.partition.network_state.ocsp_cache", true); - // user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+] - // user_pref("privacy.trackingprotection.enabled", true); - // user_pref("privacy.trackingprotection.socialtracking.enabled", true); - // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] - // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] +// user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+] +// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); +// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", +// true); // [FF100+] user_pref("privacy.partition.network_state.ocsp_cache", +// true); user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP +// FF102+] user_pref("privacy.trackingprotection.enabled", true); +// user_pref("privacy.trackingprotection.socialtracking.enabled", true); +// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // +// [DEFAULT: true] +// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // +// [DEFAULT: true] /* 7017: disable service workers * [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/ - // user_pref("dom.serviceWorkers.enabled", false); +// user_pref("dom.serviceWorkers.enabled", false); /* 7018: disable Web Notifications * [WHY] Web Notifications are behind a prompt (7002) - * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/ - // user_pref("dom.webnotifications.enabled", false); // [FF22+] - // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] + * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ + * ***/ +// user_pref("dom.webnotifications.enabled", false); // [FF22+] +// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] /* 7019: disable Push Notifications [FF44+] * [WHY] Push requires subscription * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ - // user_pref("dom.push.enabled", false); +// user_pref("dom.push.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING - [WHY] They are insufficient to help anti-fingerprinting and do more harm than good - [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere + [WHY] They are insufficient to help anti-fingerprinting and do more harm than +good [WARNING] DO NOT USE with RFP. RFP already covers these and they can +interfere ***/ -user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan"); +user_pref("_user.js.parrot", + "8000 syntax error: the parrot's crossed the Jordan"); /* 8001: prefsCleaner: reset items useless for anti-fingerprinting ***/ - // user_pref("browser.display.use_document_fonts", ""); - // user_pref("browser.zoom.siteSpecific", ""); - // user_pref("device.sensors.enabled", ""); - // user_pref("dom.enable_performance", ""); - // user_pref("dom.enable_resource_timing", ""); - // user_pref("dom.gamepad.enabled", ""); - // user_pref("dom.maxHardwareConcurrency", ""); - // user_pref("dom.w3c_touch_events.enabled", ""); - // user_pref("dom.webaudio.enabled", ""); - // user_pref("font.system.whitelist", ""); - // user_pref("general.appname.override", ""); - // user_pref("general.appversion.override", ""); - // user_pref("general.buildID.override", ""); - // user_pref("general.oscpu.override", ""); - // user_pref("general.platform.override", ""); - // user_pref("general.useragent.override", ""); - // user_pref("media.navigator.enabled", ""); - // user_pref("media.ondevicechange.enabled", ""); - // user_pref("media.video_stats.enabled", ""); - // user_pref("media.webspeech.synth.enabled", ""); - // user_pref("ui.use_standins_for_native_colors", ""); - // user_pref("webgl.enable-debug-renderer-info", ""); +// user_pref("browser.display.use_document_fonts", ""); +// user_pref("browser.zoom.siteSpecific", ""); +// user_pref("device.sensors.enabled", ""); +// user_pref("dom.enable_performance", ""); +// user_pref("dom.enable_resource_timing", ""); +// user_pref("dom.gamepad.enabled", ""); +// user_pref("dom.maxHardwareConcurrency", ""); +// user_pref("dom.w3c_touch_events.enabled", ""); +// user_pref("dom.webaudio.enabled", ""); +// user_pref("font.system.whitelist", ""); +// user_pref("general.appname.override", ""); +// user_pref("general.appversion.override", ""); +// user_pref("general.buildID.override", ""); +// user_pref("general.oscpu.override", ""); +// user_pref("general.platform.override", ""); +// user_pref("general.useragent.override", ""); +// user_pref("media.navigator.enabled", ""); +// user_pref("media.ondevicechange.enabled", ""); +// user_pref("media.video_stats.enabled", ""); +// user_pref("media.webspeech.synth.enabled", ""); +// user_pref("ui.use_standins_for_native_colors", ""); +// user_pref("webgl.enable-debug-renderer-info", ""); /*** [SECTION 9000]: NON-PROJECT RELATED ***/ -user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!"); +user_pref("_user.js.parrot", + "9000 syntax error: the parrot's cashed in 'is chips!"); /* 9001: disable welcome notices ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); -/* 9002: disable General>Browsing>Recommend extensions/features as you browse [FF67+] ***/ -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); +/* 9002: disable General>Browsing>Recommend extensions/features as you browse + * [FF67+] ***/ +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", + false); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", + false); /* 9003: disable What's New toolbar icon [FF69+] ***/ user_pref("browser.messaging-system.whatsNewPanel.enabled", false); /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1] - [1] https://github.com/arkenfox/user.js/issues/123 + Documentation denoted as [-]. Items deprecated prior to FF91 have been +archived at [1] [1] https://github.com/arkenfox/user.js/issues/123 ***/ -user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); +user_pref("_user.js.parrot", + "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); /* ESR102.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them // FF103 - // 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810) + // 2801: delete cookies and site data on exit - replaced by +sanitizeOnShutdown* (2810) // 0=keep until they expire (default), 2=keep until you close Firefox - // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761 + // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site +data when Firefox is closed + // [-] +https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761 user_pref("network.cookie.lifetimePolicy", 2); // 6012: disable SHA-1 certificates // [-] https://bugzilla.mozilla.org/1766687 @@ -1214,4 +1405,5 @@ user_pref("network.cookie.lifetimePolicy", 2); // ***/ /* END: internal custom pref to test for syntax errors ***/ -user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!"); +user_pref("_user.js.parrot", + "SUCCESS: No no he's not dead, he's, he's restin'!"); diff --git a/usr/local/etc/dnscrypt-blacklist.txt b/usr/local/etc/dnscrypt-blacklist.txt index 9c5a232..be1cd96 100644 --- a/usr/local/etc/dnscrypt-blacklist.txt +++ b/usr/local/etc/dnscrypt-blacklist.txt @@ -100,4 +100,3 @@ googletagservices.* #reddit.com @time-to-sleep #*.twitter.com @time-to-sleep #*.youtube.* @time-to-sleep -