################################################################################
DOCUMENT         : Apple_macOS_13_STIG
VERSION          : 001.005.006
CHECKSUM         : a1151247240b58dc37b44f8986beb4ef21c49640f8cb9c601d58bbc42b977590
MANUAL QUESTIONS : 11

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 11
TITLE            : CAT I, V-257166, SV-257166r958408, SRG-OS-000033-GPOS-00014
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:4701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:4701
RULE             : The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
QUESTION_TEXT    : Verify the macOS system is configured to use approved SSH MACs within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "macs"

macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

References:
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 11
TITLE            : CAT I, V-257167, SV-257167r958408, SRG-OS-000033-GPOS-00014
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:4901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:4901
RULE             : The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
QUESTION_TEXT    : Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms"

kexalgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

References:
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 11
TITLE            : CAT I, V-257225, SV-257225r958448, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:16301
RULE             : The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
QUESTION_TEXT    : Verify the macOS system is configured with approved DOD certificates with the following command:

/usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | /usr/bin/awk -F\" '{ print $4 }'

If this list contains unapproved certificates, this is a finding.

References:
CCI-000185
CCI-002450
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 11
TITLE            : CAT I, V-257294, SV-257294r958408, SRG-OS-000033-GPOS-00014
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:21901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:21901
RULE             : The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
QUESTION_TEXT    : Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

References:
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 11
TITLE            : CAT I, V-257295, SV-257295r958408, SRG-OS-000033-GPOS-00014
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:22101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:22101
RULE             : The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
QUESTION_TEXT    : Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "kexalgorithms" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:KexAlgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

References:
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-002890
CCI-003123
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 11
TITLE            : CAT I, V-269981, SV-269981r1038907, SRG-OS-000439-GPOS-00195
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:22501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:22501
RULE             : The macOS system must be a supported release.
QUESTION_TEXT    : Verify the operating system version. 

Click the Apple icon on the menu at the top left corner of the screen and select the "About This Mac" option. 

The name of the macOS release installed appears on the Overview tab in the resulting window. The precise version number installed is displayed below that.

If the installed version of macOS 13 is not supported, this is a finding.

References:
CCI-002605
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 11
TITLE            : CAT II, V-257150, SV-257150r958364, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:1501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:1501
RULE             : The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.
QUESTION_TEXT    : Verify the macOS system is configured with a policy via directory service to disable temporary or emergency accounts after 72 hours by asking the System Administrator (SA) or Information System Security Officer (ISSO).

If a policy is not set by a directory service, a password policy must be set with the "pwpolicy" utility. The variable names may differ depending on how the policy was set.

If temporary or emergency accounts are not defined on the macOS system, this is not applicable.

Verify the macOS system is configured with a policy to disable temporary or emergency accounts after 72 hours with the following command:

/usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2

If there is no output and password policy is not controlled by a directory service, this is a finding.

Otherwise, look for the line "<key>policyCategoryAuthentication</key>".

In the array that follows, a <dict> section contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.

If the check does not exist or if the check adds more than 72 hours to "policyAttributeCreationTime", this is a finding.

References:
CCI-000016
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 11
TITLE            : CAT II, V-257152, SV-257152r982191, SRG-OS-000191-GPOS-00080
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:1901
RULE             : The macOS system must use an Endpoint Security Solution (ESS) and implement all DOD required modules.
QUESTION_TEXT    : Verify the macOS system is configured with an approved ESS solution.

If an approved ESS solution is not installed, this is a finding.

Verify that all installed components of the ESS solution are at the DOD-approved minimal version.

If the installed components are not at the DOD-approved minimal versions, this is a finding.

References:
CCI-001233
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 11
TITLE            : CAT II, V-257160, SV-257160r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:3501
RULE             : The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
QUESTION_TEXT    : Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command:

/usr/bin/sudo /usr/bin/fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons:

/usr/bin/sudo /usr/bin/dscl . read /Users/<FileVault_User> UserShell

UserShell: /usr/bin/false

If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 11
TITLE            : CAT II, V-257222, SV-257222r991590, SRG-OS-000480-GPOS-00228
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:15901
RULE             : The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.
QUESTION_TEXT    : Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands:

/bin/ls -le /Users

This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which must be:
0: group:everyone deny delete

For every authorized user account, also run the following command:
/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. 

This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be:
drwx------+ 
 0: group:everyone deny delete

The exception is the "Public" directory, whose permissions must match the following:
drwxr-xr-x+ 
 0: group:everyone deny delete

If the permissions returned by either of these checks differ from what is shown, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 11
TITLE            : CAT III, V-257179, SV-257179r958752, SRG-OS-000341-GPOS-00132
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:testaction:7301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.14:question:7301
RULE             : The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
QUESTION_TEXT    : Verify the macOS system is configured to store at least seven days of audit records with the following command:

/usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control

expire-after:7d

If "expire-after" is not set to "7d" or greater, this is a finding.

References:
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

