usnistgov/applesec usnistgov/applesec

  • Stars
    star
    116
  • Rank 297,698 (Top 6 %)
  • Language
    Shell
  • License
    Other
  • Created about 8 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
usnistgov/applesec
github

usnistgov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Draft SP 800-179r1 macOS 10.12 Security project files: draft publication, security settings spreadsheet and Bash script implementation of settings.

NIST Security Configuration Checklist for macOS 10.12

This page contains supplemental resources to NIST Special Publication (SP) 800-179 Revision 1, Guide to Securing macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist. The publication is located at https://csrc.nist.gov/publications/detail/sp/800-179/rev-1/draft.
Please send any comments to [email protected].

Settings Spreadsheet

The settings spreadsheet contains the information needed to configure a system on a per-setting basis. It includes each setting's identifier, command line instructions, and profile values. For a detailed explanation of the spreadsheet contents, see Appendix A of SP 800-179 Rev. 1.

Script Overview

The samc10_12 shell script performs 2 functions:

  • set configuration items to specified NIST profile values for macOS version 10.12
  • read the current system state for settings specified by the NIST profiles

All configuration settings are grouped into batches. This is done to allow specific portions of the settings to be run easily. Every setting has a unique Common Configuration Enumeration (CCE) identifier and its own script function. This is used to track any action performed by a setting throughout the script.

Some settings are user-specific. The script functions for these settings are aggregated in a list where they will be run for a specified user, or all users, as determined by the script options.

Usage

The script must be run as root. In order to run the script, the execute bit must be enabled. Enable execution with the following command: chmod +x samc10_12.sh After running the script, a system restart is required for some settings to take effect.

Command Short Description
samc10_12.sh -a Run user-specific settings for all users
samc10_12.sh -h Display the usage message
samc10_12.sh -k Skip time-consuming print/set operations
samc10_12.sh -l List the settings
samc10_12.sh -p Print settings values
samc10_12.sh -s ent | sslf | soho | oem Apply the chosen profile
samc10_12.sh -u username Run user-specific settings for this user
samc10_12.sh -v Verbose output

The -p and -s options provide the core functionality, and the other options modify how these behave. Except when using the -l or -h options, -p or -s should always be used.

Options

Option Long Description
-a Run user-specific settings for all non-system user accounts. If -a or -u is not specified, the settings are applied to the current user.
-h Prints a short help message.
-k Skip settings that take a significant amount of time to run. Update Apple software is the only setting to use this flag. It may take a long time to run, depending on download speed and the size of updates.
-l List the CCE identifiers, function name, and 10.12 testing status for each setting. Does not make changes to the system configuration.
-p Prints the current state of the system. Does not make changes to the system configuration.
-s Apply the specified security profile. Accepted profiles are ent (enterprise/managed), soho (Small Office Home Office/standalone), sslf (Specialized-Security Limited Functionality), and oem (Original Equipment Manufacturer).
-u Run user-specific settings for the designated user. If -a or -u is not specified, the settings are applied to the current user.
-v Output additional settings information. This produces a large quantity of output, which can benefit from saving to a file.

Examples

Terminal Command Result
./samc10_12.sh -vp The script runs in print mode. No changes to the system will be made. Any settings that support the verbose option will print more informative output. User-specific settings will print the values for the current user.
./samc10_12.sh -s ent -u dave The script will run in set mode for the enterprise profile. All system-wide settings will be applied, and any user-specific settings will be applied to user dave.
./samc10_12.sh –pak The script will print the state for system-wide settings and user-specific settings will be printed for each non-system user. Time-consuming settings will be skipped.

Run Script to Assess System State for All Users

  1. Download the “samc10_12.sh” script. To avoid access permission errors, put the script in a directory accessible to all users, such as the /Users/Shared directory.
  2. Open the Terminal program.
  3. In Terminal, navigate to the directory where the script was downloaded using the cd command.
  4. Type chmod +x samc10_12.sh and press "enter" to enable the execution permssion on the script. Note that if you have already downloaded the script and run this command, it is not necessary to do this again.
  5. If you are not logged into an admin account, type su USERNAME, where USERNAME is an administrator account, and press “enter”. Then type your password when prompted.
  6. Type sudo ./samc10_12.sh -pa and press "enter". This will run the script with the -p and -a options, which prints the system state for all users on the system.
  7. Type your password when prompted, and the script will begin execution.

Run Script to Apply Enterprise Profile for All Users

  1. Download the “samc10_12.sh” script. To avoid access permission errors, put the script in a directory accessible to all users, such as the /Users/Shared directory.
  2. Open the Terminal program.
  3. In Terminal, navigate to the directory where the script was downloaded using the cd command.
  4. Type chmod +x samc10_12.sh and press "enter" to enable the execution permssion on the script. Note that if you have already downloaded the script and run this command, it is not necessary to do this again.
  5. If you are not logged into an admin account, type su USERNAME, where USERNAME is an administrator account, and press “enter”. Then type your password when prompted.
  6. Type sudo ./samc10_12.sh -s ent -a and press "enter". This will run the script with the -s and -a options, which applies the settings using the enterprise profile for all users on the system.
  7. Type your password when prompted, and the script will begin execution.

Password Policy: Formatted .plist

The samc10_12_pwpolicy.plist file contains the password policies generated by the script and recommended by the publication.

FAQ

What version of macOS is supported by this script?
Only macOS 10.12 (Sierra) is supported.

How do I enable SSH on a host system after applying a configuration profile?
The configuration uses multiple methods to prevent SSH access. Using an administrative account, do the following on the host system to re-enable remote login:

  1. Open System Preferences -> Sharing. Enable "Remote Login", and add the desired users to the "Allowed Access for" box.
  2. In System Preferences -> Security & Privacy, open the "Firewall" tab. Open "Firewall Options" and uncheck "Block all incoming connections". This will allow SSH through the Application Firewall.
  3. Open Terminal and run the command sudo nano /etc/ssh/sshd_config to edit the config file. Comment out or delete the Deny Users * line at the bottom. This line should be #DenyUsers * if it is commented out. Save and close the file.
  4. Again in Terminal, run the command sudo nano /etc/pf.anchors/sam_pf_anchors to edit pf firewall rules. Comment out the line block in proto { tcp udp } to any port 22 so it becomes #block in proto { tcp udp } to any port 22. Save and close the file.
  5. Restart the system.

How do I resync the keychain login password with the user login password?
A Keychain sync issue can occur after an account password expires and is reset, and can be fixed with one of the following:

1st Solution:

  1. In the Keychain Access program, make sure the login keychain is selected, and click the lock at the top left.
  2. Unlock the keychain, and enter the updated password.
  3. A window should appear asking to enter the current password and to create a new password/verify new password.
  4. Enter the old password in the first field, and your updated password in the new password/verify password fields.

2nd Solution:

  1. Open Keychain Access, and go to “Preferences".
  2. Under the "First Aid" tab, check off "Synchronize login keychain password with account”
  3. Close the Preferences and open “Keychain First Aid” under the Keychain Access menu.
  4. Click the “Repair” option on the right, and enter your updated password.

More Repositories

1

macos_security

macOS Security Compliance Project
YAML
1,603
star
2

800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
CSS
699
star
3

OSCAL

Open Security Controls Assessment Language (OSCAL)
XSLT
572
star
4

fipy

FiPy is a Finite Volume PDE solver written in Python
Python
430
star
5

jarvis

JARVIS-Tools: an open-source software package for data-driven atomistic materials design. Publications: https://scholar.google.com/citations?user=3w6ej94AAAAJ
Python
279
star
6

jsip

JSIP: Java SIP specification Reference Implementation (moved from java.net)
Java
277
star
7

frvt

Repository for the Face Recognition Vendor Test (FRVT)
C++
259
star
8

trec_eval

Evaluation software used in the Text Retrieval Conference
C
224
star
9

oscal-content

NIST SP 800-53 content and other OSCAL content examples
Shell
218
star
10

alignn

Atomistic Line Graph Neural Network https://scholar.google.com/citations?user=9Q-tNnwAAAAJ&hl=en
Python
192
star
11

SP800-90B_EntropyAssessment

The SP800-90B_EntropyAssessment C++package implements the min-entropy assessment methods included in Special Publication 800-90B.
C++
189
star
12

SCTK

C
187
star
13

PrivacyEngCollabSpace

Privacy Engineering Collaboration Space
Python
186
star
14

REFPROP-wrappers

Wrappers around NIST REFPROP for languages such as Python, MATLAB, etc.
Mathematica
160
star
15

ACVP

Industry Working Group on Automated Cryptographic Algorithm Validation
HTML
151
star
16

mobile-threat-catalogue

NIST/NCCoE Mobile Threat Catalogue
HTML
141
star
17

trojai-literature

129
star
18

NFIQ2

Optical live-scan and ink fingerprint image quality assessment tool
C++
127
star
19

MIST

Microscopy Image Stitching Tool
Java
120
star
20

ndn-dpdk

NDN-DPDK: High-Speed Named Data Networking Forwarder
Go
114
star
21

SFA

The NIST STEP File Analyzer and Viewer (SFA) generates a spreadsheet and a visualization from an ISO 10303 Part 21 STEP file.
Tcl
109
star
22

ARIAC

Repository for ARIAC (Agile Robotics for Industrial Automation Competition), consisting of kit building and assembly in a simulated warehouse
C++
104
star
23

NEMO

NEMO is a laboratory logistics web application. Use it to schedule reservations, control tool access, track maintenance issues, and more.
Python
98
star
24

jsfive

A pure javascript HDF5 reader
JavaScript
92
star
25

h5wasm

A WebAssembly HDF5 reader/writer library
C++
81
star
26

pyMCR

pyMCR: Multivariate Curve Resolution for Python
Python
79
star
27

Metrology

Metrology for software; software for metrology
JavaScript
65
star
28

psc-ns3

Public Safety Communication modeling tools based on ns-3
C++
62
star
29

STP2X3D

Translator from STEP format to X3D format
C++
62
star
30

combinatorial-testing-tools

Tools for combinatorial testing developed by the NIST ACTS project
Java
61
star
31

chemnlp

ChemNLP: A Natural Language Processing based Library for Materials Chemistry Text Data
Python
59
star
32

jarvis_leaderboard

Explore State-of-the-Art Materials Design Methods: https://www.nature.com/articles/s41524-024-01259-w
Jupyter Notebook
52
star
33

COSMOSAC

A Benchmark Implementation of COSMO-SAC
HTML
48
star
34

pfhub

The CHiMaD Phase Field Community Website
HTML
48
star
35

Lightweight-Cryptography-Benchmarking

C
48
star
36

SimulatedRadarWaveformGenerator

A software tool that generates simulated radar signals and creates RF datasets for developing and testing machine/deep learning detection algorithms.
MATLAB
47
star
37

REFPROP-cmake

Small repo with CMake build system for building REFPROP shared library
CMake
46
star
38

iheos-toolkit2

XDS Toolkit
Java
44
star
39

OpenSeadragonFiltering

OpenSeadragon filtering plugin
JavaScript
44
star
40

dioptra

Test Software for the Characterization of AI Technologies
Python
43
star
41

pmml_pymcBN

Jupyter Notebook
42
star
42

teqp

A highly efficient, flexible, and accurate implementation of thermodynamic EOS powered by automatic differentiation
C++
42
star
43

ActEV_Scorer

Scoring software for the TRECVID Activities in Extended Video (ActEV) evaluation
Python
41
star
44

HTGS

The Hybrid Task Graph Scheduler API
C++
40
star
45

sctools

Tools for security content automation, baseline tailoring, and overlay development.
HTML
39
star
46

hiperc

High Performance Computing Strategies for Boundary Value Problems
HTML
39
star
47

ocr-pipeline

Convert a corpus of PDF to clean text files on a distributed architecture
Python
38
star
48

OpenSeadragonScalebar

OpenSeadragon scalebar plugin
JavaScript
37
star
49

mosaic

A modular single-molecule analysis interface
Python
37
star
50

oscal-cli

A simple open source command line tool to support common operations over OSCAL content.
Java
37
star
51

ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
C#
36
star
52

vulntology

Development of the NIST vulnerability data ontology (Vulntology).
JavaScript
36
star
53

pyPRISM

A framework for conducting polymer reference interaction site model (PRISM) calculations
Python
35
star
54

DT4SM

Digital Thread for Smart Manufacturing
C#
34
star
55

OOF3D

Object Oriented for Finite Elements 3D version code.
Python
34
star
56

hugo-uswds

Implementation of the The United States Web Design System (USWDS) 2.0 using the Hugo open-source static site generator
SCSS
33
star
57

rcslib

NIST Real-Time Control Systems Library including Posemath, NML communications & Java Plotter
Java
33
star
58

PrivacyFrmwkResources

This repository contains resources to support organizations’ use of the Privacy Framework. Resources include crosswalks, Profiles, guidelines, and tools. NIST encourages new contributions and feedback on these resources as part of the ongoing collaborative effort to improve implementation of the Privacy Framework.
33
star
59

dataplot

Source code and auxiliary files for dataplot.
Fortran
32
star
60

oscal-tools

Tools for the OSCAL project
XSLT
32
star
61

pyramidio

Image pyramid reader and writer
Java
31
star
62

Voting

The NIST Voting Program repository
31
star
63

800-63-4

CSS
31
star
64

metaschema

Documentation for and implementations of the metaschema modeling language
Shell
31
star
65

MDCS

CSS
31
star
66

SDNist

SDNist: Benchmark data and evaluation tools for data synthesizers.
HTML
30
star
67

phasefield-precipitate-aging

Phase field model for precipitate aging in ternary analogues to Ni-based superalloys
Cuda
30
star
68

pySCATMECH

pySCATMECH is a Python interface to SCATMECH: Polarized Light Scattering C++ Class Library
C++
30
star
69

AGA8

Files associated with the AGA8 standard
Rust
30
star
70

feasst

The Free Energy and Advanced Sampling Simulation Toolkit (FEASST) is a free, open-source, modular program to conduct molecular and particle-based simulations with flat-histogram Monte Carlo methods.
C++
29
star
71

NetSimulyzer-ns3-module

A flexible 3D visualizer for displaying, debugging, presenting, and understanding ns-3 scenarios.
C++
28
star
72

liboscal-java

A Java library to support processing OSCAL content
Java
28
star
73

OFDM-GAN

Python
28
star
74

lantern

Interpretable genotype-phenotype landscape modeling
Python
28
star
75

ChebTools

C++ tools for working with Chebyshev expansion interpolants
C++
27
star
76

MediScore

Scoring tools for Media Forensics Evaluations
HTML
27
star
77

hedgehog

C++
27
star
78

NetSimulyzer

A flexible 3D visualizer for displaying, debugging, presenting, and understanding ns-3 scenarios.
C++
27
star
79

atomvision

Deep learning framework for atomistic image data
Python
26
star
80

REFPROP-issues

A repository solely used for reporting issues with NIST REFPROP
26
star
81

SCATMECH

SCATMECH: Polarized light scattering C++ class library
C++
26
star
82

youbot

Robotic platform for industrial control systems cybersecurity research. We use the research-grade Youbot as the robotics platform for our research. The ROS framework is used for inter-process communication, and Python is the language used for application development.
Python
26
star
83

ThreeBodyTB.jl

Accurate and fast tight-binding calculations, using pre-fit coefficients and three-body terms.
Julia
25
star
84

Circuits

Circuits for functions of interest to cryptography
C++
25
star
85

OOF2

Object Oriented for Finite Elements 2D version.
C++
25
star
86

F4DE

Framework for Detection Evaluation (F4DE) : set of evaluation tools for detection evaluations and for specific NIST-coordinated evaluations
Perl
24
star
87

optbayesexpt

Optimal Bayesian Experiment Design
Python
24
star
88

blockmatrix

This project is developing code to implement features and extensions to the NIST Cybersecurity Whitepaper, "A Data Structure for Integrity Protection with Erasure Capability". The block matrix data structure may have utility for incorporation into applications requiring integrity protection that currently use permissioned blockchains. This capability could for example be useful in meeting privacy requirements such as the European Union General Data Protection Regulation (GDPR), which requires that organizations make it possible to delete all information related to a particular individual, at that person's request.
Java
24
star
89

libbiomeval

Software components for biometric technology evaluations.
C++
24
star
90

ElectionResultsReporting

Common data format specification for election results reporting data
23
star
91

oscal-deep-diff

Open Security Controls Assessment Language (OSCAL) Deep Differencing Tool
TypeScript
22
star
92

IFA

The NIST IFC File Analyzer (IFA) generates a spreadsheet from an IFC file.
Tcl
22
star
93

ns3-oran

A module that can be used to model and simulate O-RAN-like behavior in ns-3.
C++
22
star
94

MUD-PD

A tool for characterizing the network behavior of IoT Devices. The primary intended use is to assist in the generation of allowlist files formatted according to the Manufacturer Usage Description specification.
Python
21
star
95

texture

Python scripts for analysis of crystallographic texture
Jupyter Notebook
21
star
96

trojai-example

Example TrojAI Submission
21
star
97

blossom-case-study

A case study for ACSAC 2022 utilizing OSCAL with a custom GitHub action to automate assessments.
HTML
21
star
98

BiometricEvaluation

NIST Image Group Biometric Repositories
20
star
99

WIPP

Web Image Processing Pipeline (WIPP)
Shell
20
star
100

CastVoteRecords

Common data format specification for cast vote records
19
star