{"id":13633203,"url":"https://github.com/sambacha/macos-secure-profiles","last_synced_at":"2025-06-10T20:11:56.851Z","repository":{"id":103232228,"uuid":"590674771","full_name":"sambacha/macos-secure-profiles","owner":"sambacha","description":"macOS Security Profiles based off of STIG  Developed by Apple and DISA for the DOD","archived":false,"fork":false,"pushed_at":"2023-09-22T01:18:51.000Z","size":508,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-08T02:05:54.060Z","etag":null,"topics":["macos","secure-boot","stig-compliant"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sambacha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":"audit.sh","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-18T23:55:31.000Z","updated_at":"2025-03-31T14:41:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"75dddfc8-fbb7-43a5-be31-fdb80374e1a4","html_url":"https://github.com/sambacha/macos-secure-profiles","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fmacos-secure-profiles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fmacos-secure-profiles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fmacos-secure-profiles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fmacos-secure-profiles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sambacha","download_url":"https://codeload.github.com/sambacha/macos-secure-profiles/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Fmacos-secure-profiles/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259144814,"owners_count":22811926,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","secure-boot","stig-compliant"],"created_at":"2024-08-01T23:00:30.468Z","updated_at":"2025-06-10T20:11:56.821Z","avatar_url":"https://github.com/sambacha.png","language":"Shell","funding_links":[],"categories":["Uncategorized"],"sub_categories":["Uncategorized"],"readme":"# macOS \n\n[TOC]\n\n\u003e https://docs.google.com/spreadsheets/d/e/2PACX-1vQWtGb4Ul56y1RWjpqWFhSX1Lmp2j8w8aHdJl8-fQhzAEalyuamefbCytQ8POe0XMseYlwVJn4Vq614/pubhtml\n\n### The macOS system must allow only applications that have a valid digital signature to run.\n\n\nVulnerability Discussion: Gatekeeper settings must be configured correctly to only allow the system to run applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per-app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple-issued certificate in order to run. Digital signatures allow the macOS host to verify that the application has not been modified by a malicious third party.\n\n\n#### Check Content    \nIdentify any unsigned applications that have been installed on the system:\n/usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -B 3 -A 4 -e \"Obtained from: Unknown\" | /usr/bin/grep -v -e \"Location: /Library/Application Support/Script Editor/Templates\" -e \"Location: /System/Library/\" | /usr/bin/awk -F \"Location: \" '{print $2}' | /usr/bin/sort -u\n\nIf any results are returned and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nVerify only applications with a valid digital signature are allowed to run:\n\n/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(EnableAssessment | AllowIdentifiedDevelopers)'\n\nIf the return is null or is not the following, this is a finding:\n\nAllowIdentifiedDevelopers = 1;\nEnableAssessment = 1;\n\nFix Text: This setting is enforced using the \"Restrictions Policy\" configuration profile.  \n\n\n\n### The macOS system must have the security assessment policy subsystem enabled.\n\n\nVulnerability Discussion: Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.\n\nAccordingly, software defined by the organization as critical must be signed with a certificate that is recognized and approved by the organization.\n\n\n#### Check Content    \nTo check the status of the Security assessment policy subsystem, run the following command:\n\n/usr/sbin/spctl --status 2\u003e /dev/null | /usr/bin/grep enabled\n\nIf \"assessments enabled\" is not returned, this is a finding.\n\nFix Text: To enable the Security assessment policy subsystem, run the following command:\n\n/usr/bin/sudo /usr/sbin/spctl --master-enable  \n\n\n### The macOS system must not allow an unattended or automatic logon to the system.\n\n\nVulnerability Discussion: Failure to restrict system access to authenticated users negatively impacts operating system security.\n\n\n#### Check Content    \nTo check if the system is configured to automatically log on, run the following command:\n\n/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAutoLoginClient\n\nIf \"com.apple.login.mcx.DisableAutoLoginClient\" is not set to \"1\", this is a finding.\n\nFix Text: This setting is enforced using the \"Login Window Policy\" configuration profile.  \n\nCCI: CCI-000366\n\n\n\n### The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.\n\n\nVulnerability Discussion: Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.\n\nSatisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230\n\n\n#### Check Content    \nTo verify that permissions are set correctly on user home directories, use the following commands:\n\nls -le /Users\n\nShould return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions should be:\n\"drwxr-xr-x+\" with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which should be:\n 0: group:everyone deny delete\n\nFor every authorized user account, also run the following command:\n/usr/bin/sudo ls -le /Users/userid, where userid is an existing user. \n\nThis command will return the permissions of all of the objects under the users' home directory. The permissions for each of the subdirectories should be:\ndrwx------+ \n 0: group:everyone deny delete\n\nWith the exception of the \"Public\" directory, whose permissions should match the following:\ndrwxr-xr-x+ \n 0: group:everyone deny delete\n\nIf the permissions returned by either of these checks differ from what is shown, this is a finding.\n\nFix Text: To ensure the appropriate permissions are set for each user on the system, run the following command:\n\ndiskutil resetUserPermissions / userid, where userid is the user name for the user whose home directory permissions need to be repaired.  \n\n\n### The macOS system must authenticate peripherals before establishing a connection.\n\n\nVulnerability Discussion: Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\n\n\n#### Check Content    \nTo check that macOS is configured to require authentication to all system preference panes, use the following commands:\n\n/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences | grep -A1 shared\n\nIf what is returned does not include the following, this is a finding.\n\t\u003ckey\u003eshared\u003c/key\u003e\n\t\u003cfalse/\u003e\n\nFix Text: To ensure that authentication is required to access all system level preference panes use the following procedure:\n\nCopy the authorization database to a file using the following command:\n/usr/bin/sudo /usr/bin/security authorizationdb read system.preferences \u003e ~/Desktop/authdb.txt\nedit the file to change:\n    \u003ckey\u003eshared\u003c/key\u003e\n    \u003ctrue/\u003e\nTo read:\n    \u003ckey\u003eshared\u003c/key\u003e\n    \u003cfalse/\u003e\n\nReload the authorization database with the following command:\n/usr/bin/sudo /usr/bin/security authorizationdb write system.preferences \u003c ~/Desktop/authdb.txt  \n\n\n### The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.\n\n\nVulnerability Discussion: Single user mode and the boot picker, as well as numerous other tools are available on macOS through booting while holding the \"Option\" key down. Setting a firmware password restricts access to these tools.\n\n\n#### Check Content    \nFor Apple Silicon-based systems, this is Not Applicable.\n\nFor Intel-based systems, ensure that a firmware password is set, run the following command:\n\n$ sudo /usr/sbin/firmwarepasswd -check\n\nIf the return is not \"Password Enabled: Yes\", this is a finding.\n\nFix Text: To set a firmware passcode use the following command.\n\nsudo /usr/sbin/firmwarepasswd -setpasswd\n\nNote: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.  \n\n\n\nule Title: The macOS system must be configured so that the login command requires smart card authentication.\n\n\nVulnerability Discussion: Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.\n\n\n#### Check Content    \nFor systems that are not utilizing smart card authentication, this is Not Applicable.\n\nTo verify that the \"login\" command has been configured to require smart card authentication, run the following command:\n\n# cat /etc/pam.d/login | grep -i pam_smartcard.so\n\nIf the text that returns does not include the line, \"auth sufficient pam_smartcard.so\" at the TOP of the listing, this is a finding.\n\nFix Text: Make a backup of the PAM LOGIN settings using the following command:\nsudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date \"+%Y-%m-%d_%H:%M\"`\n\nReplace the contents of \"/etc/pam.d/login\" with the following:\n\n# login: auth account password session\nauth\t\tsufficient\t pam_smartcard.so\nauth    optional    pam_krb5.so use_kcminit\nauth    optional    pam_ntlm.so try_first_pass\nauth    optional    pam_mount.so try_first_pass\nauth    required    pam_opendirectory.so try_first_pass\nauth    required    pam_deny.so\naccount  required    pam_nologin.so\naccount  required    pam_opendirectory.so\npassword  required    pam_opendirectory.so\nsession  required    pam_launchd.so\nsession  required    pam_uwtmp.so\nsession  optional    pam_mount.so  \n\n\n### The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.\n\n\nVulnerability Discussion: System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct owner mitigates this risk.\n\n\n#### Check Content    \nSome system log files are controlled by \"newsyslog\" and \"aslmanager\".\n\nThe following commands check for log files that exist on the system and print the path to the log with the corresponding ownership. Run them from inside \"/var/log\". \n\n```bash\n/usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2\u003e /dev/null\n/usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^\u003e' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2\u003e /dev/null\n```\n\nEach command may return zero or more files. \n\nIf there are any system log files that are not owned by \"root\" and group-owned by \"wheel\" or \"admin\", this is a finding.\n\nService logs may be owned by the service user account or group.\n\nFix Text: For any log file that returns an incorrect owner or group value, run the following command:\n\n```\n/usr/bin/sudo chown root:wheel [log file]\n```\n\n[log file] is the full path to the log file in question. If the file is managed by \"newsyslog\", find the configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\" and ensure that the owner:group column is set to \"root:wheel\" or the appropriate service user account and group. \n\nIf the file is managed by \"aslmanager\", find the configuration line in the directory \"/etc/asl/\" or the file \"/etc/asl.conf\" and ensure that \"uid\" and \"gid\" options are either not present or are set to a service user account and group respectively.  \n\n\n\n### The macOS system must be configured with system log files set to mode 640 or less permissive.\n\n\nVulnerability Discussion: System logs should only be readable by root or admin users. System logs frequently contain sensitive information that could be used by an attacker. Setting the correct permissions mitigates this risk.\n\n\n#### Check Content    \nThe following commands check for log files that exist on the system and print the path to the log with the corresponding permissions. Run them from inside \"/var/log\":\n\n/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2\u003e /dev/null\n/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^\u003e' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2\u003e /dev/null\n\nEach command may return zero or more files. If the permissions on log files are not \"640\" or less permissive, this is a finding.\n\nFix Text: For any log file that returns an incorrect permission value, run the following command:\n\n/usr/bin/sudo chmod 640 [log file]\n\n[log file] is the full path to the log file in question. If the file is managed by \"newsyslog\", find the configuration line in the directory \"/etc/newsyslog.d/\" or the file \"/etc/newsyslog.conf\" and edit the mode column to be \"640\" or less permissive. \n\nIf the file is managed by \"aslmanager\", find the configuration line in the directory \"/etc/asl/\" or the file \"/etc/asl.conf\" and add or edit the mode option to be \"mode=0640\" or less permissive.  \n\n\n\n### The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.\n\n\nVulnerability Discussion: The \"sudo\" command must be configured to prompt for the administrator's password at least once in each newly opened Terminal window or remote logon session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned logon session to bypass the normal password prompt requirement. \n\nWithout the \"tty_tickets\" option, all open local and remote logon sessions would be authenticated to use sudo without a password for the duration of the configured password timeout window.\n\n\n#### Check Content    \nTo check if the \"tty_tickets\" option is set for \"/usr/bin/sudo\", run the following command:\n\n/usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers\n\nIf there is no result, this is a finding.\n\nFix Text: Edit the \"/etc/sudoers\" file to contain the line:\n\nDefaults tty_tickets\n\nThis line can be placed in the defaults section or at the end of the file\n\n\n\n### The macOS system must be configured to prevent password proximity sharing requests from nearby Apple Devices.\n\n\nVulnerability Discussion: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\n\n#### Check Content    \nTo check if allowPasswordProximityRequests is disabled, run the following command:\n\n/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowPasswordProximityRequests\n  \nIf the return is not \"allowPasswordProximityRequests = 0\", this is a finding.\n\nFix Text: This setting is enforced using the \"Restrictions Policy\" configuration profile.  \n\n\n\n### The macOS system must be configured to prevent users from erasing all system content and settings.\n\n\nVulnerability Discussion: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\n\n#### Check Content    \nTo check if allowEraseContentAndSettings is disabled, run the following command:\n\n/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowEraseContentAndSettings\n  \nIf the return is not \"allowEraseContentAndSettings = 0\", this is a finding.\n\nFix Text: This setting is enforced using the \"Restrictions Policy\" configuration profile.  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Fmacos-secure-profiles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsambacha%2Fmacos-secure-profiles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Fmacos-secure-profiles/lists"}