Check: APPL-15-003001
Apple macOS 15 (Sequoia) STIG:
APPL-15-003001
(in versions v1 r3 through v1 r1)
Title
The macOS system must issue or obtain public key certificates from an approved service provider. (Cat II impact)
Discussion
The organization must issue or obtain public key certificates from an organization-approved service provider and ensure only approved trust anchors are in the System Keychain. Satisfies: SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230
Check Content
Verify the macOS system is configured to issue or obtain public key certificates from an approved service provider with the following command: /usr/bin/security dump-keychain /Library/Keychains/System.keychain | /usr/bin/awk -F'"' '/labl/ {print $4}' If the result does not contain a list of approved certificate authorities, this is a finding.
Fix Text
Configure the macOS system to issue or obtain public key certificates from an approved service provider by obtaining the approved certificates from the appropriate authority and install them to the System Keychain.
Additional Identifiers
Rule ID: SV-268534r1034542_rule
Vulnerability ID: V-268534
Group Title: SRG-OS-000403-GPOS-00182
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002470 |
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions. |
| CCI-004909 |
Include only approved trust anchors in trust stores or certificate stores managed by the organization. |
Controls
| Number | Title |
|---|---|
| SC-23(5) |
Allowed Certificate Authorities |