Check: APPL-11-005001
Apple macOS 11 (Big Sur) STIG:
APPL-11-005001
(in versions v1 r8 through v1 r1)
Title
The macOS system must enable System Integrity Protection. (Cat II impact)
Discussion
System Integrity Protection (SIP) is vital to the protection of the integrity of macOS. SIP restricts what actions can be performed by administrative users, including root, against protected parts of the operating system. SIP protects all system binaries, including audit tools, from unauthorized access by preventing the modification or deletion of system binaries, or the changing of the permissions associated with those binaries. SIP limits the privileges to change software resident within software libraries to processes that have signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. By protecting audit binaries, SIP ensures the presence of an audit record generation capability for DoD-defined auditable events for all operating system components and supports on-demand and after-the-fact reporting requirements. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142
Check Content
System Integrity Protection is a security feature, enabled by default, that protects certain system processes and files from being modified or tampered with. Check the current status of "System Integrity Protection" with the following command: /usr/bin/csrutil status If the result does not show the following, this is a finding. System Integrity Protection status: enabled
Fix Text
To re-enable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable
Additional Identifiers
Rule ID: SV-230845r855705_rule
Vulnerability ID: V-230845
Group Title: SRG-OS-000051-GPOS-00024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
CCI-001493 |
The information system protects audit tools from unauthorized access. |
CCI-001494 |
The information system protects audit tools from unauthorized modification. |
CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |