Apple macOS 11 (Big Sur) STIG Version Comparison

Apple macOS 11 (Big Sur) Security Technical Implementation Guide

Comparison

There are 6 differences between versions v1 r1 (Nov. 20, 2020) (the "left" version) and v1 r2 (April 23, 2021) (the "right" version).

Check APPL-11-002061 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The macOS system must be configured so that end users cannot override Gatekeeper settings.

Check Content

To verify only applications downloaded from the App Store are allowed to run, type the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableOverride If the return is null, or is not: DisableOverride = 1; This is a finding.

Discussion

Gatekeeper must be configured with a configuration profile to prevent normal users from overriding its setting. If users are allowed to disable Gatekeeper or set it to a less restrictive setting, malware could be introduced into the system. Gatekeeper is a security feature that ensures applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS host to verify the application has not been modified by a malicious third party.

Fix

This setting is enforced using the "RestrictionsPolicy" configuration profile.