DISA Apple macOS 14 (Sonoma) STIG v2r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Apple macOS 14 (Sonoma) STIG v2r3

Updated: 12/19/2025

Authority: DISA STIG

Plugin: Unix

Revision: 1.2

Estimated Item Count: 156

File Details

Filename: DISA_STIG_Apple_macOS_14_Sonoma_v2r3.audit

Size: 236 kB

MD5: 8822e3596495c0a8597ff960ab3db800

SHA256: 9309aa82d10dda62a8c0c1eaed454d5912edf3ca1ac12d48d62014cb49658ef6

Audit Changelog


Revision 1.2 Dec 19, 2025 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.1 Oct 31, 2025 Miscellaneous Metadata updated. Platform check updated. Variables updated. Added APPL-14-000001 - The macOS system must prevent Apple Watch from terminating a session lock. APPL-14-000002 - The macOS system must enforce screen saver password. APPL-14-000003 - The macOS system must enforce session lock no more than five seconds after screen saver is started. APPL-14-000005 - The macOS system must configure user session lock when a smart token is removed. APPL-14-000007 - The macOS system must disable hot corners. APPL-14-000009 - The macOS system must prevent AdminHostInfo from being available at LoginWindow. APPL-14-000012 - The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. APPL-14-000014 - The macOS system must enforce time synchronization. APPL-14-000022 - The macOS system must limit consecutive failed log on attempts to three. APPL-14-000023 - The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on. APPL-14-000024 - The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner. APPL-14-000025 - The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. APPL-14-000030 - The macOS system must configure audit log files to not contain access control lists. APPL-14-000031 - The macOS system must configure audit log folders to not contain access control lists. APPL-14-000033 - The macOS system must disable FileVault automatic log on. APPL-14-000051 - The macOS system must configure SSHD ClientAliveInterval to 900. APPL-14-000052 - The macOS system must configure SSHD ClientAliveCountMax to 1. APPL-14-000053 - The macOS system must set Login Grace Time to 30. APPL-14-000054 - The macOS system must limit SSHD to FIPS-compliant connections. APPL-14-000057 - The macOS system must limit SSH to FIPS-compliant connections. APPL-14-000060 - The macOS system must set account lockout time to 15 minutes. APPL-14-000070 - The macOS system must enforce screen saver timeout. APPL-14-000090 - The macOS system must disable logon to other user's active and locked sessions. APPL-14-000100 - The macOS system must disable root logon. APPL-14-000110 - The macOS system must configure SSH ServerAliveInterval option set to 900. APPL-14-000120 - The macOS system must configure SSHD Channel Timeout to 900. APPL-14-000130 - The macOS system must configure SSHD unused connection timeout to 900. APPL-14-000140 - The macOS system must set SSH Active Server Alive Maximum to 0. APPL-14-000160 - The macOS system must enforce auto logout after 86400 seconds of inactivity. APPL-14-000170 - The macOS system must be configured to use an authorized time server. APPL-14-000180 - The macOS system must enable time synchronization daemon. APPL-14-001001 - The macOS system must be configured to audit all administrative action events. APPL-14-001002 - The macOS system must be configured to audit all log on and log out events. APPL-14-001003 - The macOS system must enable security auditing. APPL-14-001010 - The macOS system must configure system to shut down upon audit failure. APPL-14-001012 - The macOS system must configure audit log files to be owned by root. APPL-14-001013 - The macOS system must configure audit log folders to be owned by root. APPL-14-001014 - The macOS system must configure audit log files group to wheel. APPL-14-001015 - The macOS system must configure audit log folders group to wheel. APPL-14-001016 - The macOS system must configure audit log files to mode 440 or less permissive. APPL-14-001017 - The macOS system must configure audit log folders to mode 700 or less permissive. APPL-14-001020 - The macOS system must be configured to audit all deletions of object attributes. APPL-14-001021 - The macOS system must be configured to audit all changes of object attributes. APPL-14-001022 - The macOS system must be configured to audit all failed read actions on the system. APPL-14-001023 - The macOS system must be configured to audit all failed write actions on the system. APPL-14-001024 - The macOS system must be configured to audit all failed program execution on the system. APPL-14-001029 - The macOS system must configure audit retention to seven days. APPL-14-001030 - The macOS system must configure audit capacity warning. APPL-14-001031 - The macOS system must configure audit failure notification. APPL-14-001044 - The macOS system must configure the system to audit all authorization and authentication events. APPL-14-001060 - The macOS system must set smart card certificate trust to moderate. APPL-14-001100 - The macOS system must disable root logon for SSH. APPL-14-001110 - The macOS system must configure audit_control group to wheel. APPL-14-001120 - The macOS system must configure audit_control owner to root. APPL-14-001130 - The macOS system must configure audit_control to mode 440 or less permissive. APPL-14-001140 - The macOS system must configure audit_control to not contain access control lists. APPL-14-001150 - The macOS system must disable password authentication for SSH. APPL-14-002001 - The macOS system must disable Server Message Block sharing. APPL-14-002003 - The macOS system must disable Network File System service. APPL-14-002004 - The macOS system must disable Location Services. APPL-14-002005 - The macOS system must disable Bonjour multicast. APPL-14-002006 - The macOS system must disable Unix-to-Unix Copy Protocol service. APPL-14-002007 - The macOS system must disable Internet Sharing. APPL-14-002008 - The macOS system must disable the built-in web server. APPL-14-002009 - The macOS system must disable AirDrop. APPL-14-002010 - The macOS system must disable FaceTime.app. APPL-14-002012 - The macOS system must disable the iCloud Calendar services. APPL-14-002013 - The macOS system must disable iCloud Reminders. APPL-14-002014 - The macOS system must disable iCloud Address Book. APPL-14-002015 - The macOS system must disable iCloud Mail. APPL-14-002016 - The macOS system must disable iCloud Notes. APPL-14-002017 - The macOS system must disable the camera. APPL-14-002020 - The macOS system must disable Siri. APPL-14-002021 - The macOS system must disable sending diagnostic and usage data to Apple. APPL-14-002022 - The macOS system must disable Remote Apple Events. APPL-14-002035 - The macOS system must disable Apple ID setup during Setup Assistant. APPL-14-002036 - The macOS system must disable Privacy Setup services during Setup Assistant. APPL-14-002037 - The macOS system must disable iCloud Storage Setup during Setup Assistant. APPL-14-002038 - The macOS system must disable Trivial File Transfer Protocol service. APPL-14-002039 - The macOS system must disable Siri Setup during Setup Assistant. APPL-14-002040 - The macOS system must disable iCloud Keychain synchronization. APPL-14-002041 - The macOS system must disable iCloud Document synchronization. APPL-14-002042 - The macOS system must disable iCloud Bookmarks. APPL-14-002043 - The macOS system must disable iCloud Photo Library. APPL-14-002050 - The macOS system must disable Screen Sharing and Apple Remote Desktop. APPL-14-002051 - The macOS system must disable the TouchID System Settings pane. APPL-14-002052 - The macOS system must disable the System Settings pane for Wallet and Apple Pay. APPL-14-002053 - The macOS system must disable the system settings pane for Siri. APPL-14-002060 - The macOS system must apply gatekeeper settings to block applications from unidentified developers. APPL-14-002062 - The macOS system must disable Bluetooth when no approved device is connected. APPL-14-002063 - The macOS system must disable the guest account. APPL-14-002064 - The macOS system must enable Gatekeeper. APPL-14-002066 - The macOS system must disable unattended or automatic log on to the system. APPL-14-002068 - The macOS system must secure user's home folders. APPL-14-002069 - The macOS system must require administrator privileges to modify systemwide settings. APPL-14-002080 - The macOS system must disable Airplay Receiver. APPL-14-002090 - The macOS system must disable TouchID for unlocking the device. APPL-14-002100 - The macOS system must disable Media Sharing. APPL-14-002110 - The macOS system must disable Bluetooth sharing. APPL-14-002120 - The macOS system must disable AppleID and Internet Account modifications. APPL-14-002130 - The macOS system must disable CD/DVD Sharing. APPL-14-002140 - The macOS system must disable content caching service. APPL-14-002150 - The macOS system must disable iCloud desktop and document folder synchronization. APPL-14-002160 - The macOS system must disable iCloud Game Center. APPL-14-002170 - The macOS system must disable iCloud Private Relay. APPL-14-002180 - The macOS system must disable Find My service. APPL-14-002190 - The macOS system must disable password autofill. APPL-14-002200 - The macOS system must disable personalized advertising. APPL-14-002210 - The macOS system must disable sending Siri and Dictation information to Apple. APPL-14-002220 - The macOS system must enforce on device dictation. APPL-14-002230 - The macOS system must disable dictation. APPL-14-002240 - The macOS system must disable Printer Sharing. APPL-14-002250 - The macOS system must disable Remote Management. APPL-14-002260 - The macOS system must disable the Bluetooth system settings pane. APPL-14-002270 - The macOS system must disable the iCloud Freeform services. APPL-14-003001 - The macOS system must issue or obtain public key certificates from an approved service provider. APPL-14-003007 - The macOS system must require passwords contain a minimum of one numeric character. APPL-14-003008 - The macOS system must restrict maximum password lifetime to 60 days. APPL-14-003010 - The macOS system must require a minimum password length of 14 characters. APPL-14-003011 - The macOS system must require passwords contain a minimum of one special character. APPL-14-003012 - The macOS system must disable password hints. APPL-14-003013 - The macOS system must enable firmware password. APPL-14-003014 - The macOS system must remove password hints from user accounts. APPL-14-003020 - The macOS system must enforce smart card authentication. APPL-14-003030 - The macOS system must allow smart card authentication. APPL-14-003050 - The macOS system must enforce multifactor authentication for logon. APPL-14-003051 - The macOS system must enforce multifactor authentication for the su command. APPL-14-003052 - The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. APPL-14-003060 - The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character. APPL-14-003070 - The macOS system must set minimum password lifetime to 24 hours. APPL-14-003080 - The macOS system must disable accounts after 35 days of inactivity. APPL-14-004001 - The macOS system must configure Apple System Log files to be owned by root and group to wheel. APPL-14-004002 - The macOS system must configure Apple System Log files to mode 640 or less permissive. APPL-14-004022 - The macOS system must require users to reauthenticate for privilege escalation when using the \"sudo\" command. APPL-14-004030 - The macOS system must configure system log files to be owned by root and group to wheel. APPL-14-004040 - The macOS system must configure system log files to mode 640 or less permissive. APPL-14-004050 - The macOS system must configure install.log retention to 365. APPL-14-004060 - The macOS system must configure sudoers timestamp type. APPL-14-005001 - The macOS system must ensure System Integrity Protection is enabled. APPL-14-005020 - The macOS system must enforce FileVault. APPL-14-005050 - The macOS system must enable the application firewall. APPL-14-005052 - The macOS system must configure login window to prompt for username and password. APPL-14-005054 - The macOS system must disable TouchID prompt during Setup Assistant. APPL-14-005055 - The macOS system must disable Screen Time prompt during Setup Assistant. APPL-14-005056 - The macOS system must disable Unlock with Apple Watch during Setup Assistant. APPL-14-005058 - The macOS system must disable Handoff. APPL-14-005060 - The macOS system must disable proximity-based password sharing requests. APPL-14-005061 - The macOS system must disable Erase Content and Settings. APPL-14-005070 - The macOS system must enable Authenticated Root. APPL-14-005080 - The macOS system must prohibit user installation of software into /users/. APPL-14-005090 - The macOS system must authorize USB devices before allowing connection. APPL-14-005100 - The macOS system must ensure secure boot level set to full. APPL-14-005110 - The macOS system must enforce enrollment in mobile device management. APPL-14-005120 - The macOS system must enable recovery lock. APPL-14-005130 - The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. DISA_STIG_Apple_macOS_14_Sonoma_v2r3.audit from DISA Apple macOS 14 (Sonoma) STIG v2r3 Removed APPL-14-000001 The macOS system must prevent Apple Watch from terminating a session lock. APPL-14-000002 The macOS system must enforce screen saver password. APPL-14-000003 The macOS system must enforce session lock no more than five seconds after screen saver is started. APPL-14-000005 The macOS system must configure user session lock when a smart token is removed. APPL-14-000007 The macOS system must disable hot corners. APPL-14-000009 The macOS system must prevent AdminHostInfo from being available at LoginWindow. APPL-14-000012 The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours. APPL-14-000014 The macOS system must enforce time synchronization. APPL-14-000022 The macOS system must limit consecutive failed log on attempts to three. APPL-14-000023 The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on. APPL-14-000024 The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner. APPL-14-000025 The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window. APPL-14-000030 The macOS system must configure audit log files to not contain access control lists. APPL-14-000031 The macOS system must configure audit log folders to not contain access control lists. APPL-14-000033 The macOS system must disable FileVault automatic log on. APPL-14-000051 The macOS system must configure SSHD ClientAliveInterval to 900. APPL-14-000052 The macOS system must configure SSHD ClientAliveCountMax to 1. APPL-14-000053 The macOS system must set Login Grace Time to 30. APPL-14-000054 The macOS system must limit SSHD to FIPS-compliant connections. APPL-14-000057 The macOS system must limit SSH to FIPS-compliant connections. APPL-14-000060 The macOS system must set account lockout time to 15 minutes. APPL-14-000070 The macOS system must enforce screen saver timeout. APPL-14-000090 The macOS system must disable logon to other user's active and locked sessions. APPL-14-000100 The macOS system must disable root logon. APPL-14-000110 The macOS system must configure SSH ServerAliveInterval option set to 900. APPL-14-000120 The macOS system must configure SSHD Channel Timeout to 900. APPL-14-000130 The macOS system must configure SSHD unused connection timeout to 900. APPL-14-000140 The macOS system must set SSH Active Server Alive Maximum to 0. APPL-14-000160 The macOS system must enforce auto logout after 86400 seconds of inactivity. APPL-14-000170 The macOS system must be configured to use an authorized time server. APPL-14-000180 The macOS system must enable time synchronization daemon. APPL-14-001001 The macOS system must be configured to audit all administrative action events. APPL-14-001002 The macOS system must be configured to audit all log on and log out events. APPL-14-001003 The macOS system must enable security auditing. APPL-14-001010 The macOS system must configure system to shut down upon audit failure. APPL-14-001012 The macOS system must configure audit log files to be owned by root. APPL-14-001013 The macOS system must configure audit log folders to be owned by root. APPL-14-001014 The macOS system must configure audit log files group to wheel. APPL-14-001015 The macOS system must configure audit log folders group to wheel. APPL-14-001016 The macOS system must configure audit log files to mode 440 or less permissive. APPL-14-001017 The macOS system must configure audit log folders to mode 700 or less permissive. APPL-14-001020 The macOS system must be configured to audit all deletions of object attributes. APPL-14-001021 The macOS system must be configured to audit all changes of object attributes. APPL-14-001022 The macOS system must be configured to audit all failed read actions on the system. APPL-14-001023 The macOS system must be configured to audit all failed write actions on the system. APPL-14-001024 The macOS system must be configured to audit all failed program execution on the system. APPL-14-001029 The macOS system must configure audit retention to seven days. APPL-14-001030 The macOS system must configure audit capacity warning. APPL-14-001031 The macOS system must configure audit failure notification. APPL-14-001044 The macOS system must configure the system to audit all authorization and authentication events. APPL-14-001060 The macOS system must set smart card certificate trust to moderate. APPL-14-001100 The macOS system must disable root logon for SSH. APPL-14-001110 The macOS system must configure audit_control group to wheel. APPL-14-001120 The macOS system must configure audit_control owner to root. APPL-14-001130 The macOS system must configure audit_control to mode 440 or less permissive. APPL-14-001140 The macOS system must configure audit_control to not contain access control lists. APPL-14-001150 The macOS system must disable password authentication for SSH. APPL-14-002001 The macOS system must disable Server Message Block sharing. APPL-14-002003 The macOS system must disable Network File System service. APPL-14-002004 The macOS system must disable Location Services. APPL-14-002005 The macOS system must disable Bonjour multicast. APPL-14-002006 The macOS system must disable Unix-to-Unix Copy Protocol service. APPL-14-002007 The macOS system must disable Internet Sharing. APPL-14-002008 The macOS system must disable the built-in web server. APPL-14-002009 The macOS system must disable AirDrop. APPL-14-002010 The macOS system must disable FaceTime.app. APPL-14-002012 The macOS system must disable the iCloud Calendar services. APPL-14-002013 The macOS system must disable iCloud Reminders. APPL-14-002014 The macOS system must disable iCloud Address Book. APPL-14-002015 The macOS system must disable iCloud Mail. APPL-14-002016 The macOS system must disable iCloud Notes. APPL-14-002017 The macOS system must disable the camera. APPL-14-002020 The macOS system must disable Siri. APPL-14-002021 The macOS system must disable sending diagnostic and usage data to Apple. APPL-14-002022 The macOS system must disable Remote Apple Events. APPL-14-002035 The macOS system must disable Apple ID setup during Setup Assistant. APPL-14-002036 The macOS system must disable Privacy Setup services during Setup Assistant. APPL-14-002037 The macOS system must disable iCloud Storage Setup during Setup Assistant. APPL-14-002038 The macOS system must disable Trivial File Transfer Protocol service. APPL-14-002039 The macOS system must disable Siri Setup during Setup Assistant. APPL-14-002040 The macOS system must disable iCloud Keychain synchronization. APPL-14-002041 The macOS system must disable iCloud Document synchronization. APPL-14-002042 The macOS system must disable iCloud Bookmarks. APPL-14-002043 The macOS system must disable iCloud Photo Library. APPL-14-002050 The macOS system must disable Screen Sharing and Apple Remote Desktop. APPL-14-002051 The macOS system must disable the TouchID System Settings pane. APPL-14-002052 The macOS system must disable the System Settings pane for Wallet and Apple Pay. APPL-14-002053 The macOS system must disable the system settings pane for Siri. APPL-14-002060 The macOS system must apply gatekeeper settings to block applications from unidentified developers. APPL-14-002062 The macOS system must disable Bluetooth when no approved device is connected. APPL-14-002063 The macOS system must disable the guest account. APPL-14-002064 The macOS system must enable Gatekeeper. APPL-14-002066 The macOS system must disable unattended or automatic log on to the system. APPL-14-002068 The macOS system must secure user's home folders. APPL-14-002069 The macOS system must require administrator privileges to modify systemwide settings. APPL-14-002080 The macOS system must disable Airplay Receiver. APPL-14-002090 The macOS system must disable TouchID for unlocking the device. APPL-14-002100 The macOS system must disable Media Sharing. APPL-14-002110 The macOS system must disable Bluetooth sharing. APPL-14-002120 The macOS system must disable AppleID and Internet Account modifications. APPL-14-002130 The macOS system must disable CD/DVD Sharing. APPL-14-002140 The macOS system must disable content caching service. APPL-14-002150 The macOS system must disable iCloud desktop and document folder synchronization. APPL-14-002160 The macOS system must disable iCloud Game Center. APPL-14-002170 The macOS system must disable iCloud Private Relay. APPL-14-002180 The macOS system must disable Find My service. APPL-14-002190 The macOS system must disable password autofill. APPL-14-002200 The macOS system must disable personalized advertising. APPL-14-002210 The macOS system must disable sending Siri and Dictation information to Apple. APPL-14-002220 The macOS system must enforce on device dictation. APPL-14-002230 The macOS system must disable dictation. APPL-14-002240 The macOS system must disable Printer Sharing. APPL-14-002250 The macOS system must disable Remote Management. APPL-14-002260 The macOS system must disable the Bluetooth system settings pane. APPL-14-002270 The macOS system must disable the iCloud Freeform services. APPL-14-003001 The macOS system must issue or obtain public key certificates from an approved service provider. APPL-14-003007 The macOS system must require passwords contain a minimum of one numeric character. APPL-14-003008 The macOS system must restrict maximum password lifetime to 60 days. APPL-14-003010 The macOS system must require a minimum password length of 14 characters. APPL-14-003011 The macOS system must require passwords contain a minimum of one special character. APPL-14-003012 The macOS system must disable password hints. APPL-14-003013 The macOS system must enable firmware password. APPL-14-003014 The macOS system must remove password hints from user accounts. APPL-14-003020 The macOS system must enforce smart card authentication. APPL-14-003030 The macOS system must allow smart card authentication. APPL-14-003050 The macOS system must enforce multifactor authentication for logon. APPL-14-003051 The macOS system must enforce multifactor authentication for the su command. APPL-14-003052 The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. APPL-14-003060 The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character. APPL-14-003070 The macOS system must set minimum password lifetime to 24 hours. APPL-14-003080 The macOS system must disable accounts after 35 days of inactivity. APPL-14-004001 The macOS system must configure Apple System Log files to be owned by root and group to wheel. APPL-14-004002 The macOS system must configure Apple System Log files to mode 640 or less permissive. APPL-14-004022 The macOS system must require users to reauthenticate for privilege escalation when using the \"sudo\" command. APPL-14-004030 The macOS system must configure system log files to be owned by root and group to wheel. APPL-14-004040 The macOS system must configure system log files to mode 640 or less permissive. APPL-14-004050 The macOS system must configure install.log retention to 365. APPL-14-004060 The macOS system must configure sudoers timestamp type. APPL-14-005001 The macOS system must ensure System Integrity Protection is enabled. APPL-14-005020 The macOS system must enforce FileVault. APPL-14-005050 The macOS system must enable the application firewall. APPL-14-005052 The macOS system must configure login window to prompt for username and password. APPL-14-005054 The macOS system must disable TouchID prompt during Setup Assistant. APPL-14-005055 The macOS system must disable Screen Time prompt during Setup Assistant. APPL-14-005056 The macOS system must disable Unlock with Apple Watch during Setup Assistant. APPL-14-005058 The macOS system must disable Handoff. APPL-14-005060 The macOS system must disable proximity-based password sharing requests. APPL-14-005061 The macOS system must disable Erase Content and Settings. APPL-14-005070 The macOS system must enable Authenticated Root. APPL-14-005080 The macOS system must prohibit user installation of software into /users/. APPL-14-005090 The macOS system must authorize USB devices before allowing connection. APPL-14-005100 The macOS system must ensure secure boot level set to full. APPL-14-005110 The macOS system must enforce enrollment in mobile device management. APPL-14-005120 The macOS system must enable recovery lock. APPL-14-005130 The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. DISA_STIG_Apple_macOS_14_Sonoma_v2r3.audit from DISA Apple macOS 14 (Sonoma) v2r3 STIG

Detections

Analytics

DISA Apple macOS 14 (Sonoma) STIG v2r3

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

Added

Removed

Detections

Analytics

DISA Apple macOS 14 (Sonoma) STIG v2r3 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

Added

Removed

DISA Apple macOS 14 (Sonoma) STIG v2r3