| 1.1 Ensure All Apple-provided Software Is Current | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2 Ensure Auto Update Is Enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.3 Ensure Download New Updates When Available Is Enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Ensure Installation of App Update Is Enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - ConfigDataInstall | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - CriticalUpdateInstall | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.6 Ensure Install of macOS Updates Is Enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.1 Ensure Show Bluetooth Status in Menu Bar Is Enabled | CONFIGURATION MANAGEMENT |
| 2.2.1 Ensure 'Set time and date automatically' Is Enabled | AUDIT AND ACCOUNTABILITY |
| 2.2.2 Ensure Time Is Set Within Appropriate Limits | AUDIT AND ACCOUNTABILITY |
| 2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled | ACCESS CONTROL |
| 2.4.1 Ensure Remote Apple Events Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.2 Ensure Internet Sharing Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.3 Ensure Screen Sharing Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.4 Ensure Printer Sharing Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.5 Ensure Remote Login Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.6 Ensure DVD or CD Sharing Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.7 Ensure Bluetooth Sharing Is Disabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION |
| 2.4.8 Ensure File Sharing Is Disabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.9 Ensure Remote Management Is Disabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.4.11 Ensure AirDrop Is Disabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.5.1.1 Ensure FileVault Is Enabled - dontAllowFDEDisable | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.1.1 Ensure FileVault Is Enabled - fdesetup | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.1.2 Ensure all user storage APFS volumes are encrypted | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted | IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.2.1 Ensure Firewall Is Enabled | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, INCIDENT RESPONSE, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.5.2.2 Ensure Firewall Stealth Mode Is Enabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.6 Ensure Limit Ad Tracking Is Enabled | CONFIGURATION MANAGEMENT |
| 2.5.7 Ensure Gatekeeper Is Enabled | SYSTEM AND INFORMATION INTEGRITY |
| 2.5.8 Ensure a Custom Message for the Login Screen Is Enabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.5.9 Ensure an Administrator Password Is Required to Access System-Wide Preferences | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPassword | IDENTIFICATION AND AUTHENTICATION |
| 2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPasswordDelay | IDENTIFICATION AND AUTHENTICATION |
| 2.7.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled | CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8.1 Ensure Wake for Network Access Is Disabled | CONFIGURATION MANAGEMENT |
| 2.8.2 Ensure Power Nap Is Disabled for Intel Macs | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.9 Ensure Legacy EFI Is Valid and Updating - checked regularly | SYSTEM AND SERVICES ACQUISITION |
| 2.9 Ensure Legacy EFI Is Valid and Updating - valid | SYSTEM AND SERVICES ACQUISITION |
| 2.10 Audit Siri Settings | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.11 Audit Sidecar Settings | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.12 Audit Touch ID and Wallet & Apple Pay Settings | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION |
| 3.1 Ensure Security Auditing Is Enabled | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - all_max | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - ttl | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure Security Auditing Retention Is Enabled | AUDIT AND ACCOUNTABILITY |
| 3.5 Ensure Access to Audit Records Is Controlled - /etc/security/audit_control | ACCESS CONTROL, MEDIA PROTECTION |
| 3.5 Ensure Access to Audit Records Is Controlled - /var/audit | ACCESS CONTROL, MEDIA PROTECTION |
| 3.6 Ensure Firewall Logging Is Enabled and Configured - EnableLogging | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6 Ensure Firewall Logging Is Enabled and Configured - LoggingOption | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
