Check: APPL-15-005001
Apple macOS 15 (Sequoia) STIG:
APPL-15-005001
(in versions v1 r4 through v1 r1)
Title
The macOS system must ensure System Integrity Protection is enabled. (Cat I impact)
Discussion
System Integrity Protection is vital to protecting the integrity of the system as it prevents malicious users and software from making unauthorized and/or unintended modifications to protected files and folders; ensures the presence of an audit record generation capability for defined auditable events for all operating system components; protects audit tools from unauthorized access, modification, and deletion; restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS; and prevents nonprivileged users from granting other users direct access to the contents of their home directories and folders. NOTE: System Integrity Protection is enabled by default in macOS. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000062-GPOS-00031, SRG-OS-000080-GPOS-00048, SRG-OS-000122-GPOS-00063, SRG-OS-000138-GPOS-00069, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000259-GPOS-00100, SRG-OS-000278-GPOS-00108, SRG-OS-000350-GPOS-00138
Check Content
Verify the macOS system is configured to enable System Integrity Protection with the following command: /usr/bin/csrutil status | /usr/bin/grep -c 'System Integrity Protection status: enabled.' If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to enable System Integrity Protection by booting into "Recovery" mode, launching "Terminal" from the "Utilities" menu, and running the following command: /usr/bin/csrutil enable
Additional Identifiers
Rule ID: SV-268555r1034605_rule
Vulnerability ID: V-268555
Group Title: SRG-OS-000051-GPOS-00024
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000154 |
Provide the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-001090 |
Prevent unauthorized and unintended information transfer via shared system resources. |
| CCI-001493 |
Protect audit tools from unauthorized access. |
| CCI-001494 |
Protect audit tools from unauthorized modification. |
| CCI-001495 |
Protect audit tools from unauthorized deletion. |
| CCI-001496 |
Implement cryptographic mechanisms to protect the integrity of audit tools. |
| CCI-001499 |
Limit privileges to change software resident within software libraries. |
| CCI-001876 |
Provide an audit reduction capability that supports on-demand reporting requirements. |
| CCI-001878 |
Provide a report generation capability that supports on-demand audit review and analysis. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |
| AU-6(4) |
Central Review and Analysis |
| AU-7 |
Audit Record Reduction and Report Generation |
| AU-7(1) |
Automatic Processing |
| AU-9 |
Protection of Audit Information |
| AU-9(3) |
Cryptographic Protection |
| AU-12 |
Audit Record Generation |
| CM-5(6) |
Limit Library Privileges |
| SC-4 |
Information in Shared System Resources |