CIS Apple macOS 11.0 Big Sur v3.0.0 L1

Audit Details

Name: CIS Apple macOS 11.0 Big Sur v3.0.0 L1

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 88

File Details

Filename: CIS_Apple_macOS_11.0_Big_Sur_v3.0.0_L1.audit

Size: 350 kB

MD5: 52d43af5706f3111d962eb817b2926de
SHA256: adf5ca9c47903db6d401a109b656654c780eb9f668799f5091e99a14fe24c4e6

Audit Items

DescriptionCategories
1.1 Ensure All Apple-provided Software Is Current

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.2 Ensure Auto Update Is Enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.3 Ensure Download New Updates When Available Is Enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.4 Ensure Installation of App Update Is Enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - ConfigDataInstall

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - CriticalUpdateInstall

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.6 Ensure Install of macOS Updates Is Enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

2.1.1 Ensure Show Bluetooth Status in Menu Bar Is Enabled

CONFIGURATION MANAGEMENT

2.1.2 Ensure Show Wi-Fi status in Menu Bar Is Enabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.2.1 Ensure 'Set time and date automatically' Is Enabled - Set time and date automatically Is Enabled

AUDIT AND ACCOUNTABILITY

2.2.2 Ensure Time Is Set Within Appropriate Limits

AUDIT AND ACCOUNTABILITY

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled

ACCESS CONTROL

2.4.1 Ensure Remote Apple Events Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.2 Ensure Internet Sharing Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.3 Ensure Screen Sharing Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.4 Ensure Printer Sharing Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.5 Ensure Remote Login Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.6 Ensure DVD or CD Sharing Is Disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.7 Ensure Bluetooth Sharing Is Disabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION

2.4.8 Ensure File Sharing Is Disabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.9 Ensure Remote Management Is Disabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4.11 Ensure AirDrop Is Disabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.5.1.1 Ensure FileVault Is Enabled - dontAllowFDEDisable

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5.1.1 Ensure FileVault Is Enabled - fdesetup

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5.1.2 Ensure all user storage APFS volumes are encrypted

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted

IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5.2.1 Ensure Firewall Is Enabled

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, INCIDENT RESPONSE, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.5.2.2 Ensure Firewall Stealth Mode Is Enabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5.6 Ensure Limit Ad Tracking Is Enabled

CONFIGURATION MANAGEMENT

2.5.7 Ensure Gatekeeper Is Enabled

SYSTEM AND INFORMATION INTEGRITY

2.5.8 Ensure a Custom Message for the Login Screen Is Enabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.5.9 Ensure an Administrator Password Is Required to Access System-Wide Preferences

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPassword

IDENTIFICATION AND AUTHENTICATION

2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPasswordDelay

IDENTIFICATION AND AUTHENTICATION

2.7.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled

CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.8.1 Ensure Wake for Network Access Is Disabled

CONFIGURATION MANAGEMENT

2.8.2 Ensure Power Nap Is Disabled for Intel Macs

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.9 Ensure Legacy EFI Is Valid and Updating - checked regularly

SYSTEM AND SERVICES ACQUISITION

2.9 Ensure Legacy EFI Is Valid and Updating - valid

SYSTEM AND SERVICES ACQUISITION

2.10 Audit Siri Settings

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.11 Audit Sidecar Settings

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.12 Audit Touch ID and Wallet & Apple Pay Settings

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

2.13 Audit Notification & Focus Settings

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1 Ensure Security Auditing Is Enabled

AUDIT AND ACCOUNTABILITY

3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - all_max

AUDIT AND ACCOUNTABILITY

3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size - ttl

AUDIT AND ACCOUNTABILITY

3.4 Ensure Security Auditing Retention Is Enabled

AUDIT AND ACCOUNTABILITY

3.5 Ensure Access to Audit Records Is Controlled - /etc/security/audit_control

ACCESS CONTROL, MEDIA PROTECTION

3.5 Ensure Access to Audit Records Is Controlled - /var/audit

ACCESS CONTROL, MEDIA PROTECTION