| 1.1 Verify all application software is current | SYSTEM AND INFORMATION INTEGRITY |
| 1.2 Enable Auto Update | SYSTEM AND INFORMATION INTEGRITY |
| 1.3 Enable app update installs | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable security update installs | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable system data files | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.1 Disable Bluetooth, if no paired devices exist | |
| 2.1.2 Disable Bluetooth 'Discoverable' mode when not pairing devices | CONFIGURATION MANAGEMENT |
| 2.1.3 Show Bluetooth status in menu bar | CONFIGURATION MANAGEMENT |
| 2.2.1 Enable 'Set time and date automatically' | AUDIT AND ACCOUNTABILITY |
| 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver | ACCESS CONTROL |
| 2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver | ACCESS CONTROL |
| 2.4.1 Disable Remote Apple Events | CONFIGURATION MANAGEMENT |
| 2.4.2 Disable Internet Sharing | CONFIGURATION MANAGEMENT |
| 2.4.3 Disable Screen Sharing | CONFIGURATION MANAGEMENT |
| 2.4.4 Disable Printer Sharing | CONFIGURATION MANAGEMENT |
| 2.4.5 Disable Remote Login | ACCESS CONTROL |
| 2.4.6 Disable DVD or CD Sharing | CONFIGURATION MANAGEMENT |
| 2.4.7 Disable Bluetooth Sharing | |
| 2.4.8 Disable File Sharing - AppleFileServer | CONFIGURATION MANAGEMENT |
| 2.4.8 Disable File Sharing - FTP | CONFIGURATION MANAGEMENT |
| 2.4.8 Disable File Sharing - SMB | CONFIGURATION MANAGEMENT |
| 2.4.9 Disable Remote Management - 'ARDAgent file does not exist' | CONFIGURATION MANAGEMENT |
| 2.4.9 Disable Remote Management - 'ARDAgent is not running' | CONFIGURATION MANAGEMENT |
| 2.6.1 Enable FileVault - Encryption Status | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6.1 Enable FileVault - Encryption Type | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6.2 Enable Gatekeeper | CONFIGURATION MANAGEMENT |
| 2.6.3 Enable Firewall | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Pair the remote control infrared receiver if enabled | |
| 2.7 Pair the remote control infrared receiver if enabled - 'DeviceEnabled = 1' | CONFIGURATION MANAGEMENT |
| 2.7 Pair the remote control infrared receiver if enabled - 'UIDFilter != none' | ACCESS CONTROL |
| 2.8 Enable Secure Keyboard Entry in terminal.app | CONFIGURATION MANAGEMENT |
| 3.1.2 Retain system.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
| 3.1.3 Retain appfirewall.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
| 3.1.4 Retain authd.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
| 3.2 Enable security auditing | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure Security Auditing Flags - 'audit all failed events across all audit classes' | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure Security Auditing Flags - 'audit successful/failed administrative events' | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure Security Auditing Flags - 'audit successful/failed file attribute modification events' | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure Security Auditing Flags - 'audit successful/failed file deletion events' | AUDIT AND ACCOUNTABILITY |
| 3.4 Configure Security Auditing Flags - 'audit successful/failed login/logout events' | AUDIT AND ACCOUNTABILITY |
| 3.5 Retain install.log for 365 or more days | AUDIT AND ACCOUNTABILITY |
| 4.2 Enable 'Show Wi-Fi status in menu bar' | CONFIGURATION MANAGEMENT |
| 5.1.1 Secure Home Folders | CONFIGURATION MANAGEMENT |
| 5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions | |
| 5.1.3 Check System Wide Applications for appropriate permissions | ACCESS CONTROL |
| 5.1.4 Check System folder for world writable files | ACCESS CONTROL |
| 5.1.5 Check Library folder for world writable files | ACCESS CONTROL |
| 5.2 Reduce the sudo timeout period | ACCESS CONTROL |
| 5.3 Automatically lock the login keychain after 15 minutes of inactivity and when sleeping | IDENTIFICATION AND AUTHENTICATION |
| 5.4 Do not enable the 'root' account | ACCESS CONTROL |
