1.1 Verify all application software is current | SYSTEM AND INFORMATION INTEGRITY |
1.2 Enable Auto Update | SYSTEM AND INFORMATION INTEGRITY |
1.3 Enable app update installs | SYSTEM AND INFORMATION INTEGRITY |
1.4 Enable security update installs | SYSTEM AND INFORMATION INTEGRITY |
1.4 Enable system data files | SYSTEM AND INFORMATION INTEGRITY |
2.1.1 Disable Bluetooth, if no paired devices exist | |
2.1.2 Disable Bluetooth 'Discoverable' mode when not pairing devices | CONFIGURATION MANAGEMENT |
2.1.3 Show Bluetooth status in menu bar | CONFIGURATION MANAGEMENT |
2.2.1 Enable 'Set time and date automatically' | AUDIT AND ACCOUNTABILITY |
2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver | ACCESS CONTROL |
2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver | ACCESS CONTROL |
2.4.1 Disable Remote Apple Events | CONFIGURATION MANAGEMENT |
2.4.2 Disable Internet Sharing | CONFIGURATION MANAGEMENT |
2.4.3 Disable Screen Sharing | CONFIGURATION MANAGEMENT |
2.4.4 Disable Printer Sharing | CONFIGURATION MANAGEMENT |
2.4.5 Disable Remote Login | ACCESS CONTROL |
2.4.6 Disable DVD or CD Sharing | CONFIGURATION MANAGEMENT |
2.4.7 Disable Bluetooth Sharing | |
2.4.8 Disable File Sharing - AppleFileServer | CONFIGURATION MANAGEMENT |
2.4.8 Disable File Sharing - FTP | CONFIGURATION MANAGEMENT |
2.4.8 Disable File Sharing - SMB | CONFIGURATION MANAGEMENT |
2.4.9 Disable Remote Management - 'ARDAgent file does not exist' | CONFIGURATION MANAGEMENT |
2.4.9 Disable Remote Management - 'ARDAgent is not running' | CONFIGURATION MANAGEMENT |
2.6.1 Enable FileVault - Encryption Status | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6.1 Enable FileVault - Encryption Type | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6.2 Enable Gatekeeper | CONFIGURATION MANAGEMENT |
2.6.3 Enable Firewall | SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Pair the remote control infrared receiver if enabled | |
2.7 Pair the remote control infrared receiver if enabled - 'DeviceEnabled = 1' | CONFIGURATION MANAGEMENT |
2.7 Pair the remote control infrared receiver if enabled - 'UIDFilter != none' | ACCESS CONTROL |
2.8 Enable Secure Keyboard Entry in terminal.app | CONFIGURATION MANAGEMENT |
3.1.2 Retain system.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
3.1.3 Retain appfirewall.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
3.1.4 Retain authd.log for 90 or more days | AUDIT AND ACCOUNTABILITY |
3.2 Enable security auditing | AUDIT AND ACCOUNTABILITY |
3.4 Configure Security Auditing Flags - 'audit all failed events across all audit classes' | AUDIT AND ACCOUNTABILITY |
3.4 Configure Security Auditing Flags - 'audit successful/failed administrative events' | AUDIT AND ACCOUNTABILITY |
3.4 Configure Security Auditing Flags - 'audit successful/failed file attribute modification events' | AUDIT AND ACCOUNTABILITY |
3.4 Configure Security Auditing Flags - 'audit successful/failed file deletion events' | AUDIT AND ACCOUNTABILITY |
3.4 Configure Security Auditing Flags - 'audit successful/failed login/logout events' | AUDIT AND ACCOUNTABILITY |
3.5 Retain install.log for 365 or more days | AUDIT AND ACCOUNTABILITY |
4.2 Enable 'Show Wi-Fi status in menu bar' | CONFIGURATION MANAGEMENT |
5.1.1 Secure Home Folders | CONFIGURATION MANAGEMENT |
5.1.2 Repair permissions regularly to ensure binaries and other System files have appropriate permissions | |
5.1.3 Check System Wide Applications for appropriate permissions | ACCESS CONTROL |
5.1.4 Check System folder for world writable files | ACCESS CONTROL |
5.1.5 Check Library folder for world writable files | ACCESS CONTROL |
5.2 Reduce the sudo timeout period | ACCESS CONTROL |
5.3 Automatically lock the login keychain after 15 minutes of inactivity and when sleeping | IDENTIFICATION AND AUTHENTICATION |
5.4 Do not enable the 'root' account | ACCESS CONTROL |