################################################################################
DOCUMENT         : Apple_macOS_15_STIG
VERSION          : 001.004.006
CHECKSUM         : 213e092f3531969c4f6f5d7054217ddb2d065d82de6200ce5c5b7833950a163a
MANUAL QUESTIONS : 3

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 3
TITLE            : CAT II, V-268426, SV-268426r1034218, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:question:1301
RULE             : The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
QUESTION_TEXT    : Verify that a password policy is enforced by a directory service by asking the system administrator (SA) or information system security officer (ISSO).

If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.

If no temporary or emergency accounts are defined on the system, this is not applicable.

To check if the password policy is configured to disable a temporary or emergency account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username:

/usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2

If there is no output, and password policy is not controlled by a directory service, this is a finding.

Otherwise, look for the line "<key>policyCategoryAuthentication</key>".

In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section.

If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.

References:
CCI-000016
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 3
TITLE            : CAT II, V-268534, SV-268534r1034542, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:testaction:22101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:question:22101
RULE             : The macOS system must issue or obtain public key certificates from an approved service provider.
QUESTION_TEXT    : Verify the macOS system is configured to issue or obtain public key certificates from an approved service provider with the following command:

/usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}'

If the result does not contain a list of approved certificate authorities, this is a finding.

References:
CCI-002470
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 3
TITLE            : CAT II, V-268575, SV-268575r1149426, SRG-OS-000439-GPOS-00195
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:testaction:30301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.mscp.content.macOS.15:question:30301
RULE             : The macOS system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).
QUESTION_TEXT    : Verify security-relevant software updates are installed on the operating system within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).

Click the Apple icon on the menu at the top left corner of the screen.
Select the "About This Mac" option.
Select the "More Info..." button.
Under the macOS section, there are details about the update version.
Compare this to the latest available macOS update version.

If the installed updates are not the latest and the latest updates have been available for 30 days or more, this is a finding.

References:
CCI-002605
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

