Security Technical Implementation Guides (STIGs)


Product
Severity
SRG
CCIs
STIG IDs
Rule IDs
Tags
AppLocker
EventSentry
Security
stig
Vulnerability ID Severity Description
V-268420 Medium The macOS system must prevent Apple Watch from terminating a session lock
V-268421 Medium The macOS system must enforce screen saver password
V-268434 Medium The macOS system must disable FileVault automatic login
V-268435 Medium The macOS system must configure SSHD ClientAliveInterval to 900
V-268436 Medium The macOS system must configure SSHD ClientAliveCountMax to 1
V-268437 Medium The macOS system must set login grace time to 30
V-268438 High The macOS system must limit SSHD to FIPS-compliant connections
V-268440 Medium The macOS system must set account lockout time to 15 minutes
V-268441 Medium The macOS system must enforce screen saver timeout
V-268442 Medium The macOS system must disable login to other users' active and locked sessions
V-268443 Medium The macOS system must disable root login
V-268444 Medium The macOS system must configure the SSH ServerAliveInterval to 900
V-268445 Medium The macOS system must configure SSHD channel timeout to 900
V-268446 Medium The macOS system must configure SSHD unused connection timeout to 900
V-268447 Medium The macOS system must set SSH Active Server Alive Maximum to 0
V-268448 Medium The macOS system must enforce auto logout after 86400 seconds of inactivity
V-268449 Medium The macOS system must be configured to use an authorized time server
V-268439 High The macOS system must limit SSH to FIPS-compliant connections
V-268450 Medium The macOS system must enable the time synchronization daemon
V-268451 Medium The macOS system must configure sudo to log events
V-268452 Medium The macOS system must be configured to audit all administrative action events
V-268453 Medium The macOS system must be configured to audit all login and logout events
V-268454 Medium The macOS system must enable security auditing
V-268455 Medium The macOS system must be configured to shut down upon audit failure
V-268456 Medium The macOS system must configure audit log files to be owned by root
V-268457 Medium The macOS system must configure audit log folders to be owned by root
V-268458 Medium The macOS system must configure the audit log files group to wheel
V-268459 Medium The macOS system must configure the audit log folders group to wheel
V-268460 Medium The macOS system must configure audit log files to mode 440 or less permissive
V-268461 Medium The macOS system must configure audit log folders to mode 700 or less permissive
V-268462 Medium The macOS system must be configured to audit all deletions of object attributes
V-268463 Medium The macOS system must be configured to audit all changes of object attributes
V-268464 Medium The macOS system must be configured to audit all failed read actions on the system
V-268465 Medium The macOS system must be configured to audit all failed write actions on the system
V-269094 Medium The macOS system must be configured to audit all failed program execution on the system
V-268467 Low The macOS system must configure audit retention to seven days
V-268468 Medium The macOS system must configure audit capacity warning
V-268469 Medium The macOS system must configure audit failure notification
V-268470 Medium The macOS system must be configured to audit all authorization and authentication events
V-268471 Medium The macOS system must set smart card certificate trust to moderate
V-268472 Medium The macOS system must disable root login for SSH
V-268473 Medium The macOS system must configure audit_control group to wheel
V-268474 Medium The macOS system must configure audit_control owner to root
V-268475 Medium The macOS system must configure audit_control owner to mode 440 or less permissive
V-269095 Medium The macOS system must configure audit_control to not contain access control lists (ACLs)
V-268477 High The macOS system must disable password authentication for SSH
V-268478 Medium The macOS system must disable Server Message Block (SMB) sharing
V-268479 Medium The macOS system must disable Network File System (NFS) service
V-268480 Medium The macOS system must disable Location Services
V-268481 Medium The macOS system must disable Bonjour multicast
V-268482 Medium The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service
V-268483 Medium The macOS system must disable Internet Sharing
V-268484 Medium The macOS system must disable the built-in web server
V-268485 Medium The macOS system must disable AirDrop
V-268486 Medium The macOS system must disable FaceTime.app
V-268487 Medium The macOS system must disable the iCloud Calendar services
V-268488 Medium The macOS system must disable iCloud Reminders
V-268489 Medium The macOS system must disable iCloud Address Book
V-268490 Medium The macOS system must disable iCloud Mail
V-268491 Medium The macOS system must disable iCloud Notes
V-268492 Medium The macOS system must disable the camera
V-268493 Medium The macOS system must disable Siri
V-268494 Medium The macOS system must disable sending diagnostic and usage data to Apple
V-268495 Medium The macOS system must disable Remote Apple Events
V-269096 Medium The macOS system must disable sending audio recordings and transcripts to Apple
V-269566 Medium The macOS system must disable sending search data from Spotlight to Apple
V-268496 Medium The macOS system must disable Apple ID setup during Setup Assistant
V-268497 Medium The macOS system must disable Privacy Setup services during Setup Assistant
V-268498 Medium The macOS system must disable iCloud storage setup during Setup Assistant
V-268499 High The macOS system must disable Trivial File Transfer Protocol (TFTP) service
V-268500 Medium The macOS system must disable Siri Setup during Setup Assistant
V-268501 Medium The macOS system must disable iCloud Keychain Sync
V-268502 Medium The macOS system must disable iCloud Document Sync
V-268503 Medium The macOS system must disable iCloud Bookmarks
V-268504 Medium The macOS system must disable iCloud Photo Library
V-268505 Medium The macOS system must disable Screen Sharing and Apple Remote Desktop
V-268506 Medium The macOS system must disable the System Settings pane for Wallet and Apple Pay
V-268507 Medium The macOS system must disable the system settings pane for Siri
V-268508 High The macOS system must apply gatekeeper settings to block applications from unidentified developers
V-268509 High The macOS system must disable Bluetooth when no approved device is connected
V-268510 Medium The macOS system must disable the guest account
V-268511 High The macOS system must enable gatekeeper
V-268512 High The macOS system must disable unattended or automatic login to the system
V-268513 Medium The macOS system must secure users' home folders
V-268514 High The macOS system must require an administrator password to modify systemwide preferences
V-268515 Medium The macOS system must disable Airplay Receiver
V-268516 Medium The macOS system must disable TouchID for unlocking the device
V-268517 Medium The macOS system must disable Media Sharing
V-268518 Medium The macOS system must disable Bluetooth Sharing
V-268519 Medium The macOS system must disable AppleID and internet Account Modification
V-268521 Medium The macOS system must disable Content Caching service
V-268522 Medium The macOS system must disable iCloud Desktop and Document folder sync
V-268523 Medium The macOS system must disable iCloud Game Center
V-268524 Medium The macOS system must disable iCloud Private Relay
V-268525 Medium The macOS system must disable Find My service
V-268526 Medium The macOS system must disable Personalized Advertising
V-268527 Medium The macOS system must disable sending Siri and Dictation information to Apple
V-268528 Medium The macOS system must enforce On Device Dictation
V-268529 Medium The macOS system must disable Dictation
V-268530 Medium The macOS system must disable Printer Sharing
V-268531 Medium The macOS system must disable Remote Management
V-268532 Medium The macOS system must disable the Bluetooth System Settings pane
V-268533 Medium The macOS system must disable the iCloud Freeform services
V-272477 Medium The macOS system must disable iPhone Mirroring
V-268534 Medium The macOS system must issue or obtain public key certificates from an approved service provider
V-268535 Medium The macOS system must require that passwords contain a minimum of one numeric character
V-268536 Medium The macOS system must restrict maximum password lifetime to 60 days
V-268537 Medium The macOS system must require a minimum password length of 14 characters
V-268538 Medium The macOS system must require that passwords contain a minimum of one special character
V-268539 Medium The macOS system must disable password hints
V-268540 Medium The macOS system must enable firmware password
V-268541 Medium The macOS system must remove password hints from user accounts
V-268542 Medium The macOS system must enforce smart card authentication
V-268543 Medium The macOS system must allow smart card authentication
V-268544 Medium The macOS system must enforce multifactor authentication for login
V-268545 Medium The macOS system must enforce multifactor authentication for the su command
V-268546 Medium The macOS system must enforce multifactor authentication for privilege escalation through the sud...
V-268547 Medium The macOS system must require that passwords contain a minimum of one lowercase character and one...
V-268548 Medium The macOS system must set minimum password lifetime to 24 hours
V-268549 Medium The macOS system must disable accounts after 35 days of inactivity
V-268550 Medium The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel
V-268551 Medium The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive
V-274881 Medium The macOS system must require users to reauthenticate for privilege escalation when using the "su...
V-268552 Medium The macOS system must configure system log files owned by root and group to wheel
V-268553 Medium The macOS system must configure system log files to mode 640 or less permissive
V-268554 Low The macOS system must configure install.log retention to 365
V-274880 Medium The macOS system must configure sudoers timestamp type
V-268555 High The macOS system must ensure System Integrity Protection is enabled
V-268556 High The macOS system must enforce FileVault
V-268557 Medium The macOS system must enable macOS Application Firewall
V-268558 Medium The macOS system must configure the login window to prompt for username and password
V-268559 Medium The macOS system must disable the TouchID prompt during Setup Assistant
V-268560 Medium The macOS system must disable the Screen Time prompt during Setup Assistant
V-268561 Medium The macOS system must disable Unlock with Apple Watch during Setup Assistant
V-268562 Medium The macOS system must disable Handoff
V-268563 Medium The macOS system must disable proximity-based password sharing requests
V-268564 Medium The macOS system must disable Erase Content and Settings
V-268565 Medium The macOS system must enable Authenticated Root
V-268566 Medium The macOS system must prohibit user installation of software into /users/
V-268567 Medium The macOS system must authorize USB devices before allowing connection
V-268568 Medium The macOS system must ensure Secure Boot level is set to "full"
V-268569 Medium The macOS system must enforce enrollment in Mobile Device Management (MDM)
V-268570 Medium The macOS system must enable Recovery Lock
V-268571 Medium The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
V-268572 Medium The macOS system must disable Genmoji
V-268573 Medium The macOS system must disable Apple Intelligence Image Generation
V-268574 Medium The macOS system must disable Apple Intelligence Writing Tools
V-268575 Medium The macOS system must install security-relevant software updates within 30 days unless the time p...