Check: APPL-13-005001
Apple macOS 13 (Ventura) STIG:
APPL-13-005001
(in versions v1 r4 through v1 r1)
Title
The macOS system must enable System Integrity Protection. (Cat I impact)
Discussion
System Integrity Protection (SIP) is vital to the protection of the integrity of macOS. SIP restricts what actions can be performed by administrative users, including root, against protected parts of the operating system. SIP protects all system binaries, including audit tools, from unauthorized access by preventing the modification or deletion of system binaries, or the changing of the permissions associated with those binaries. SIP limits the privileges to change software resident within software libraries to processes that have signed by Apple and have special entitlements to write to system files, such as Apple software updates and Apple installers. By protecting audit binaries, SIP ensures the presence of an audit record generation capability for DOD-defined auditable events for all operating system components and supports on-demand and after-the-fact reporting requirements. The XProtect program is part of the SIP component and is integral to protecting the operating system from malware and malicious code. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142
Check Content
Verify the macOS system is configured to enable System Integrity Protection with the following command: /usr/bin/csrutil status System Integrity Protection status: enabled. If the "System Integrity Protection" is not set to "enabled", this is a finding.
Fix Text
Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, then launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable
Additional Identifiers
Rule ID: SV-257240r905353_rule
Vulnerability ID: V-257240
Group Title: SRG-OS-000051-GPOS-00024
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
| CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
| CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
| CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
| CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
| CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
| CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |