Title

The macOS system must prohibit user installation of software into /users/. (Cat II impact)

Discussion

Users must not be allowed to install software into /users/. Allowing regular users without explicit privileges to install software presents the risk of untested and potentially malicious software being installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. [IMPORTANT] ==== Apple has deprecated the use of application restriction controls (https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70). Using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements. ====

Check Content

Verify the macOS system is configured to prohibit user installation of software into /users/ with the following command: /usr/bin/osascript -l JavaScript << EOS function run() { let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('familyControlsEnabled')) let pathlist = $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess.new')\ .objectForKey('pathBlackList').js for ( let app in pathlist ) { if ( ObjC.unwrap(pathlist[app]) == "/Users/" && pref1 == true ){ return("true") } } return("false") } EOS If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to prohibit user installation of software into /users/ by installing the "com.apple.applicationaccess.new" configuration profile.

Additional Identifiers

Rule ID: SV-268566r1034638_rule

Vulnerability ID: V-268566

Group Title: SRG-OS-000362-GPOS-00149

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.