| AOSX-13-001235 - The macOS system must have unused network devices disabled. | DISA STIG Apple Mac OSX 10.13 v2r5 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-13-001275 - The macOS system must be configured to disable Web Sharing. | DISA STIG Apple Mac OSX 10.13 v2r5 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-13-001465 - The macOS system must use a DoD antivirus program. | DISA STIG Apple Mac OSX 10.13 v2r5 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-13-002060 - The macOS system must be integrated into a directory services infrastructure. | DISA STIG Apple Mac OSX 10.13 v2r5 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-13-100001 - The macOS system must be a supported release. | DISA STIG Apple Mac OSX 10.13 v2r5 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-000005 - The macOS system must be configured to lock the user session when a smart token is removed. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000007 - The macOS system must be configured to disable hot corners - top right | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission - OpenSSH version | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission - SSHD service disabled | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-000016 - The macOS system must be integrated into a directory services infrastructure. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-000020 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000023 - The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the operating system. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000024 - The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000032 - The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup - DisableFDEAutologin | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL |
| AOSX-14-000053 - The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-000054 - The macOS system must implement approved Ciphers to protect the confidentiality of SSH connections. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| AOSX-14-000055 - The macOS system must use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| AOSX-14-001015 - The macOS system must be configured with audit log folders group-owned by wheel. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-14-001100 - The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-002003 - The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002013 - The macOS system must be configured to disable the iCloud Reminders services. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002014 - The macOS system must be configured to disable iCloud Address Book services. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002017 - The macOS system must cover or disable the built-in or attached camera when not in use. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-002020 - The macOS system must be configured to disable Siri and dictation - Ironwood Allowed | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002034 - The macOS system must be configured to disable the Siri Setup services. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002039 - The macOS system must disable Siri pop-ups. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002043 - The macOS system must disable iCloud photo library - DisabledPreferencePanes | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002049 - The macOS system must disable Cloud Document Sync. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002051 - The macOS system must be configured to disable the system preference pane for TouchID - HiddenPreferencePanes | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-002065 - The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders - Home directory ACLs | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-003008 - The macOS system must enforce a 60-day maximum password lifetime restriction. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-003010 - The macOS system must enforce a minimum 15-character password length. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-003011 - The macOS system must enforce password complexity by requiring that at least one special character be used - allowSimple | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-003011 - The macOS system must enforce password complexity by requiring that at least one special character be used - minComplexChars | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-14-003024 - The macOS system must use multifactor authentication in the establishment of nonlocal maintenance and diagnostic sessions - enforceSmartCard | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | MAINTENANCE |
| AOSX-14-004002 - The macOS system must be configured with system log files set to mode 640 or less permissive - Newsyslog | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AOSX-15-000005 - The macOS system must be configured to lock the user session when a smart token is removed. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | ACCESS CONTROL |
| AOSX-15-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions, including transmitted data and data during preparation for transmission, and use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications - OpenSSH version | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-15-000014 - The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS) - Network Time Server | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-15-000025 - The macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting GUI access to the system - Banner file | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | ACCESS CONTROL |
| AOSX-15-000031 - The macOS system must be configured so that log folders must not contain access control lists (ACLs). | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-15-001001 - The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MAINTENANCE |
| AOSX-15-001014 - The macOS system must be configured with audit log files group-owned by wheel. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-15-001015 - The macOS system must be configured with audit log folders group-owned by wheel. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-15-001030 - The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | AUDIT AND ACCOUNTABILITY |
| AOSX-15-001100 - The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | IDENTIFICATION AND AUTHENTICATION |
| AOSX-15-002003 - The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required. | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | CONFIGURATION MANAGEMENT |
