macOS 14 - Sonoma STIG V1R1

View as one page
STIG ID CCI Title
APPL-14-000001 CCI-000056 The macOS system must prevent Apple Watch from terminating a session lock.
APPL-14-000002 CCI-000056 The macOS system must enforce screen saver password.
APPL-14-000003 CCI-000056 The macOS system must enforce session lock no more than five seconds after screen saver is started.
APPL-14-000005 CCI-000058 The macOS system must configure user session lock when a smart token is removed.
APPL-14-000007 CCI-000060 The macOS system must disable hot corners.
APPL-14-000009 CCI-000057 The macOS system must prevent AdminHostInfo from being available at LoginWindow.
APPL-14-000012 CCI-000016 The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.
APPL-14-000014 CCI-001891 The macOS system must enforce time synchronization.
APPL-14-000015 CCI-001233 The macOS system must employ automated mechanisms to determine the state of system components.
APPL-14-000016 CCI-000366 The macOS system must be integrated into a directory services infrastructure.
APPL-14-000022 CCI-000044 The macOS system must limit consecutive failed log on attempts to three.
APPL-14-000023 CCI-000048 The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at remote log on.
APPL-14-000024 CCI-000048 The macOS system must enforce SSH to display the Standard Mandatory DOD Notice and Consent Banner.
APPL-14-000025 CCI-000048 The macOS system must display the Standard Mandatory DOD Notice and Consent Banner at the login window.
APPL-14-000030 CCI-000162 The macOS system must configure audit log files to not contain access control lists.
APPL-14-000031 CCI-000162 The macOS system must configure audit log folders to not contain access control lists.
APPL-14-000033 CCI-000213 The macOS system must disable FileVault automatic log on.
APPL-14-000051 CCI-001133 The macOS system must configure SSHD ClientAliveInterval to 900.
APPL-14-000052 CCI-001133 The macOS system must configure SSHD ClientAliveCountMax to 1.
APPL-14-000053 CCI-001133 The macOS system must set Login Grace Time to 30.
APPL-14-000054 CCI-000068 The macOS system must limit SSHD to FIPS-compliant connections.
APPL-14-000057 CCI-000068 The macOS system must limit SSH to FIPS-compliant connections.
APPL-14-000060 CCI-000044 The macOS system must set account lockout time to 15 minutes.
APPL-14-000070 CCI-000057 The macOS system must enforce screen saver timeout.
APPL-14-000080 CCI-000213 The macOS system must enable SSH server for remote access sessions.
APPL-14-000090 CCI-000764 The macOS system must disable logon to other user's active and locked sessions.
APPL-14-000100 CCI-000764 The macOS system must disable root logon.
APPL-14-000110 CCI-001133 The macOS system must configure SSH ServerAliveInterval option set to 900.
APPL-14-000120 CCI-001133 The macOS system must configure SSHD Channel Timeout to 900.
APPL-14-000130 CCI-001133 The macOS system must configure SSHD unused connection timeout to 900.
APPL-14-000140 CCI-001133 The macOS system must set SSH Active Server Alive Maximum to 0.
APPL-14-000160 CCI-002361 The macOS system must enforce auto logout after 86400 seconds of inactivity.
APPL-14-000170 CCI-001891 The macOS system must be configured to use an authorized time server.
APPL-14-000180 CCI-001891 The macOS system must enable time synchronization daemon.
APPL-14-001001 CCI-000018 The macOS system must be configured to audit all administrative action events.
APPL-14-001002 CCI-000067 The macOS system must be configured to audit all log on and log out events.
APPL-14-001003 CCI-000130 The macOS system must enable security auditing.
APPL-14-001010 CCI-000140 The macOS system must configure system to shut down upon audit failure.
APPL-14-001012 CCI-000162 The macOS system must configure audit log files to be owned by root.
APPL-14-001013 CCI-000162 The macOS system must configure audit log folders to be owned by root.
APPL-14-001014 CCI-000162 The macOS system must configure audit log files group to wheel.
APPL-14-001015 CCI-000162 The macOS system must configure audit log folders group to wheel.
APPL-14-001016 CCI-000162 The macOS system must configure audit log files to mode 440 or less permissive.
APPL-14-001017 CCI-000162 The macOS system must configure audit log folders to mode 700 or less permissive.
APPL-14-001020 CCI-000162 The macOS system must be configured to audit all deletions of object attributes.
APPL-14-001021 CCI-000162 The macOS system must be configured to audit all changes of object attributes.
APPL-14-001022 CCI-000162 The macOS system must be configured to audit all failed read actions on the system.
APPL-14-001023 CCI-000162 The macOS system must be configured to audit all failed write actions on the system.
APPL-14-001024 CCI-000172 The macOS system must be configured to audit all failed program execution on the system.
APPL-14-001029 CCI-001849 The macOS system must configure audit retention to seven days.
APPL-14-001030 CCI-000139 The macOS system must configure audit capacity warning.
APPL-14-001031 CCI-000140 The macOS system must configure audit failure notification.
APPL-14-001044 CCI-000172 The macOS system must configure system to audit all authorization and authentication events.
APPL-14-001060 CCI-000185 The macOS system must set smart card certificate trust to moderate.
APPL-14-001100 CCI-000770 The macOS system must disable root logon for SSH.
APPL-14-001110 CCI-000162 The macOS system must configure audit_control group to wheel.
APPL-14-001120 CCI-000162 The macOS system must configure audit_control owner to root.
APPL-14-001130 CCI-000162 The macOS system must configure audit_control to mode 440 or less permissive.
APPL-14-001140 CCI-000162 The macOS system must configure audit_control to not contain access control lists.
APPL-14-001150 CCI-000186 The macOS system must disable password authentication for SSH.
APPL-14-002001 CCI-000213 The macOS system must disable Server Message Block sharing.
APPL-14-002003 CCI-000213 The macOS system must disable Network File System service.
APPL-14-002004 CCI-000381 The macOS system must disable Location Services.
APPL-14-002005 CCI-000381 The macOS system must disable Bonjour multicast.
APPL-14-002006 CCI-000213 The macOS system must disable Unix-to-Unix Copy Protocol service.
APPL-14-002007 CCI-000381 The macOS system must disable Internet Sharing.
APPL-14-002008 CCI-000213 The macOS system must disable the built-in web server.
APPL-14-002009 CCI-000213 The macOS system must disable AirDrop.
APPL-14-002010 CCI-000381 The macOS system must disable FaceTime.app.
APPL-14-002012 CCI-000381 The macOS system must disable the iCloud Calendar services.
APPL-14-002013 CCI-000381 The macOS system must disable iCloud Reminders.
APPL-14-002014 CCI-000381 The macOS system must disable iCloud Address Book.
APPL-14-002015 CCI-000381 The macOS system must disable iCloud Mail.
APPL-14-002016 CCI-000381 The macOS system must disable iCloud Notes.
APPL-14-002017 CCI-000381 The macOS system must disable the camera.
APPL-14-002020 CCI-000381 The macOS system must disable Siri.
APPL-14-002021 CCI-001312 The macOS system must disable sending diagnostic and usage data to Apple.
APPL-14-002022 CCI-000213 The macOS system must disable Remote Apple Events.
APPL-14-002035 CCI-000381 The macOS system must disable Apple ID setup during Setup Assistant.
APPL-14-002036 CCI-000381 The macOS system must disable Privacy Setup services during Setup Assistant.
APPL-14-002037 CCI-000381 The macOS system must disable iCloud Storage Setup during Setup Assistant.
APPL-14-002038 CCI-000197 The macOS system must disable Trivial File Transfer Protocol service.
APPL-14-002039 CCI-000381 The macOS system must disable Siri Setup during Setup Assistant.
APPL-14-002040 CCI-000381 The macOS system must disable iCloud Keychain synchronization.
APPL-14-002041 CCI-000381 The macOS system must disable iCloud Document synchronization.
APPL-14-002042 CCI-000381 The macOS system must disable iCloud Bookmarks.
APPL-14-002043 CCI-000381 The macOS system must disable iCloud Photo Library.
APPL-14-002050 CCI-000213 The macOS system must disable Screen Sharing and Apple Remote Desktop.
APPL-14-002051 CCI-000381 The macOS system must disable the TouchID System Settings pane.
APPL-14-002052 CCI-000381 The macOS system must disable the System Settings pane for Wallet and Apple Pay.
APPL-14-002053 CCI-000381 The macOS system must disable the system settings pane for Siri.
APPL-14-002060 CCI-001749 The macOS system must apply gatekeeper settings to block applications from unidentified developers.
APPL-14-002062 CCI-002418 The macOS system must disable Bluetooth when no approved device is connected.
APPL-14-002063 CCI-001813 The macOS system must disable the guest account.
APPL-14-002064 CCI-001749 The macOS system must enable Gatekeeper.
APPL-14-002066 CCI-000366 The macOS system must disable unattended or automatic log on to the system.
APPL-14-002068 CCI-000366 The macOS system must secure user's home folders.
APPL-14-002069 CCI-002235 The macOS system must require administrator privileges to modify systemwide settings.
APPL-14-002080 CCI-000381 The macOS system must disable Airplay Receiver.
APPL-14-002090 CCI-000056 The macOS system must disable TouchID for unlocking the device.
APPL-14-002100 CCI-000213 The macOS system must disable Media Sharing.
APPL-14-002110 CCI-000213 The macOS system must disable Bluetooth sharing.
APPL-14-002120 CCI-000381 The macOS system must disable AppleID and Internet Account modifications.
APPL-14-002130 CCI-000381 The macOS system must disable CD/DVD Sharing.
APPL-14-002140 CCI-000381 The macOS system must disable content caching service.
APPL-14-002150 CCI-000381 The macOS system must disable iCloud desktop and document folder synchronization.
APPL-14-002160 CCI-000381 The macOS system must disable iCloud Game Center.
APPL-14-002170 CCI-000381 The macOS system must disable iCloud Private Relay.
APPL-14-002180 CCI-000381 The macOS system must disable Find My service.
APPL-14-002190 CCI-000381 The macOS system must disable password autofill.
APPL-14-002200 CCI-000381 The macOS system must disable personalized advertising.
APPL-14-002210 CCI-000381 The macOS system must disable sending Siri and Dictation information to Apple.
APPL-14-002220 CCI-000381 The macOS system must enforce on device dictation.
APPL-14-002230 CCI-000381 The macOS system must disable dictation.
APPL-14-002240 CCI-000381 The macOS system must disable Printer Sharing.
APPL-14-002250 CCI-000381 The macOS system must disable Remote Management.
APPL-14-002260 CCI-000381 The macOS system must disable the Bluetooth system settings pane.
APPL-14-002270 CCI-000381 The macOS system must disable the iCloud Freeform services.
APPL-14-003001 CCI-002470 The macOS system must issue or obtain public key certificates from an approved service provider.
APPL-14-003007 CCI-000194 The macOS system must require passwords contain a minimum of one numeric character.
APPL-14-003008 CCI-000199 The macOS system must restrict maximum password lifetime to 60 days.
APPL-14-003009 CCI-000200 The macOS system must prohibit password reuse for a minimum of five generations.
APPL-14-003010 CCI-000205 The macOS system must require a minimum password length of 14 characters.
APPL-14-003011 CCI-001619 The macOS system must require passwords contain a minimum of one special character.
APPL-14-003012 CCI-000206 The macOS system must disable password hints.
APPL-14-003013 CCI-000366 The macOS system must enable firmware password.
APPL-14-003014 CCI-000206 The macOS system must remove password hints from user accounts.
APPL-14-003020 CCI-000186 The macOS system must enforce smart card authentication.
APPL-14-003030 CCI-000187 The macOS system must allow smart card authentication.
APPL-14-003050 CCI-000765 The macOS system must enforce multifactor authentication for logon.
APPL-14-003051 CCI-000765 The macOS system must enforce multifactor authentication for the su command.
APPL-14-003052 CCI-000765 The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
APPL-14-003060 CCI-000192 The macOS system must require passwords contain a minimum of one lowercase character and one uppercase character.
APPL-14-003070 CCI-000198 The macOS system must set minimum password lifetime to 24 hours.
APPL-14-003080 CCI-000795 The macOS system must disable accounts after 35 days of inactivity.
APPL-14-004001 CCI-001312 The macOS system must configure Apple System Log files to be owned by root and group to wheel.
APPL-14-004002 CCI-001312 The macOS system must configure Apple System Log files to mode 640 or less permissive.
APPL-14-004022 CCI-002038 The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
APPL-14-004030 CCI-001312 The macOS system must configure system log files to be owned by root and group to wheel.
APPL-14-004040 CCI-001312 The macOS system must configure system log files to mode 640 or less permissive.
APPL-14-004050 CCI-001849 The macOS system must configure install.log retention to 365.
APPL-14-004060 CCI-002038 The macOS system must configure sudoers timestamp type.
APPL-14-005001 CCI-000154 The macOS system must ensure System Integrity Protection is enabled.
APPL-14-005020 CCI-001199 The macOS system must enforce FileVault.
APPL-14-005050 CCI-000366 The macOS system must enable the application firewall.
APPL-14-005052 CCI-000764 The macOS system must configure login window to prompt for username and password.
APPL-14-005054 CCI-000381 The macOS system must disable TouchID prompt during Setup Assistant.
APPL-14-005055 CCI-000381 The macOS system must disable Screen Time prompt during Setup Assistant.
APPL-14-005056 CCI-000381 The macOS system must disable Unlock with Apple Watch during Setup Assistant.
APPL-14-005058 CCI-000213 The macOS system must disable Handoff.
APPL-14-005060 CCI-000381 The macOS system must disable proximity-based password sharing requests.
APPL-14-005061 CCI-000381 The macOS system must disable Erase Content and Settings.
APPL-14-005070 CCI-000213 The macOS system must enable Authenticated Root.
APPL-14-005080 CCI-001812 The macOS system must prohibit user installation of software into /users/.
APPL-14-005090 CCI-001958 The macOS system must authorize USB devices before allowing connection.
APPL-14-005100 CCI-002696 The macOS system must ensure secure boot level set to full.
APPL-14-005110 CCI-000366 The macOS system must enforce enrollment in mobile device management.
APPL-14-005120 CCI-000366 The macOS system must enable recovery lock.
APPL-14-005130 CCI-000366 The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.