Check: APPL-14-005001
Apple macOS 14 (Sonoma) STIG:
APPL-14-005001
(in versions v1 r2 through v1 r1)
Title
The macOS system must ensure System Integrity Protection is enabled. (Cat I impact)
Discussion
System Integrity Protection (SIP) must be enabled. SIP is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents nonprivileged users from granting other users direct access to the contents of their home directories and folders. Note: SIP is enabled by default in macOS. Satisfies: SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000062-GPOS-00031,SRG-OS-000080-GPOS-00048,SRG-OS-000122-GPOS-00063,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000259-GPOS-00100,SRG-OS-000278-GPOS-00108,SRG-OS-000350-GPOS-00138
Check Content
Verify the macOS system is configured to enable System Integrity Protection with the following command: /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' If the result is not "1", this is a finding. /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to enable "System Integrity Protection" by booting into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable
Additional Identifiers
Rule ID: SV-259560r941302_rule
Vulnerability ID: V-259560
Group Title: SRG-OS-000051-GPOS-00024
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000162 |
The information system protects audit information from unauthorized access. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
| CCI-001496 |
The information system implements cryptographic mechanisms to protect the integrity of audit tools. |
| CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
| CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |
| AU-6 (4) |
Central Review And Analysis |
| AU-7 |
Audit Reduction And Report Generation |
| AU-7 (1) |
Automatic Processing |
| AU-9 |
Protection Of Audit Information |
| AU-9 (3) |
Cryptographic Protection |
| AU-12 |
Audit Generation |
| CM-5 (6) |
Limit Library Privileges |