CIS Checklist for macOS

Posted on December 5, 2019

With so many business operations relying on computers, your organization’s cybersecurity practices are your only defense against digital threats. Thankfully, the Center for Internet Security (CIS) has created the go-to security framework for securing your macOS devices, and in this guide, we’re going to share a macOS CIS checklist so you can see what it takes to comply with their standards.

By following these standards, your organization can rest assured that their devices are protected from cybersecurity threats and costly breaches. But, as you’ll see, ensuring that your organization-owned Mac devices meet every control standard can be time-consuming and challenging.

Your mobile device management (MDM) solution may only cover a fraction of the controls necessary to meet CIS standards, which means the rest has to be done manually with a custom script. (You can read more about this in our CIS Compliance for macOS guide). Not only is scripting time consuming, but it’s also costly to maintain, difficult to update, and a pain to prove to compliance auditors.

That’s where Kandji, an MDM solution, comes in. Having spent decades rolling out macOS compliance mandates before we created our MDM, we knew there was a more intuitive way to keep your Apple fleet safe. So, we built the industry’s only one-click macOS CIS compliance feature – right into our MDM solution.

That means our MDM does more than help you manage devices and deploy apps – it keeps them safe with hassle-free compliance framework templates and over 150 pre-built controls. You’ll see just how much time this can save once you read over the macOS CIS checklist in the next section – and as you do, keep in mind that Kandji can enforce and remediate every single item.

Here’s a quick look at the major categories our checklist will cover:

  • User Accounts & Authentication
  • Filesystem
  • Auditing & Logging
  • Network
  • Hardware
  • macOS Application & Services
  • Third-Party Applications & Services

 

macOS CIS checklist

User Accounts & Authentication

User Accounts

Do not enable the “root” account

The root account is a superuser account that has access privileges to perform any actions and read/write to any file. It is recommended that the root account be disabled on all macOS systems and that separate administrator accounts be created for anyone who needs to perform administrative tasks.

 

Guest Account

Disable guest account login

The Guest account is considered a security vulnerability because it has no password associated with it. It is recommended that the Guest account be disabled on all macOS systems unless there is a clearly demonstrated need. According to the macOS CIS benchmark, disabling the Guest account login option mitigates the risk of an unauthorized user accessing the system and using privilege escalation attacks to take control of the system.

 

Disable “Allow guests to connect to shared folders”

Allowing guests to connect to shared folders lets users access such folders from different computers on a network. Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and gaining unauthorized access to the system.

 

Remove Guest user home folder

If the previous two controls are disabled, there is no longer a need for the Guest home folder to remain in the file system. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders. According to the macOS CIS benchmark, the Guest home folder is unneeded if the Guest account is disabled and could be used inappropriately.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

Login Window

Disable automatic login

The automatic login feature saves a user’s system access credentials and bypasses the login screen. According to the CIS benchmark (macOS) disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system, even if they do not have the user password or credential.

 

Display login window as name and password

The login window prompts a user for credentials, verifies their authorization level, and then allows or denies the user to access the system. The macOS CIS benchmark states that prompting the user to enter both their username and password makes it harder for unauthorized users to gain access to a system.

 

Disable “Show password hints”

Password hints can make it easier for unauthorized users to gain access to the system. Unauthorized users are more likely to guess a user's password if there is a password hint, and it is often recommended to disallow this feature. According to the macOS CIS benchmark, the parameter will disable the password hints option and clear existing user password hints.

 

Disable fast user switching

The risks associated with having multiple users logged in simultaneously may be considered too great in certain environments. In such cases, the fast user switching capability should be disabled, requiring one user to log out before another user logs in. According to the CIS benchmark (macOS), this can allow information to be disclosed about processes running under a different user.

 

Disable console login

The use of console login in newer versions of macOS may cause the system to become unresponsive, requiring a force reboot. The macOS CIS benchmark states that this may be considered an unacceptable stability and/or security risk for organizations.

 

Login Banners

Create a custom message for the Login screen

A custom message that can be displayed at the lock screen and FileVault login screen. Often used to warn people of permitted system actions and possible legal consequences of misuse. The CIS benchmark (macOS) states that displaying an access warning may reduce an attacker’s tendency to access the system, and it may aid in the prosecution of an attacker.

Example Lock Message Text: “This system is reserved for authorized use only, and the use of this system may be monitored.”

 

Create a Login window banner

A policy banner is an additional window that is displayed during the login process. It requires users to acknowledge the contents of the banner by clicking an "Accept" button before proceeding to log in. Often used to supplement the lock screen message text, and to warn people of permitted system actions and possible legal consequences of misuse. In the macOS CIS benchmark, enforcing a policy banner is proposed to dissuade the attacker from accessing the system. The presence of the banner may also help during prosecution.

 

Unlock Options

Disable the ability to login to another user's active and locked session

macOS has a privilege that can be granted to any user that allows for the ability to unlock another user's active session. This can allow unauthorized persons from viewing potentially sensitive and/or personal information. It is highly recommended these privileges remain disabled at all times. The macOS CIS benchmark states that disabling the user’s ability to log into another user’s active and locked session can prevent unauthorized system access.

 

Apple Watch features with macOS

The capability to allow a user to unlock their Enterprise computer with a personal token that is not managed or controlled by that Enterprise, such as from an Apple Watch, poses security risks. The CIS benchmark (macOS) states that if the user loses their watch, revoking the credential that can unlock the computer could be problematic.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

Session Locking

Require a password to wake the computer from sleep or screen saver

Prompting for a password when waking from Screen Saver or sleep mitigates the threat of an unauthorized person gaining access to a system. It is often recommended to use a setting of Immediately or 5 Seconds. By locking the screen after a screen saver or sleep begins, system access can be prevented from persons viewing a system left unattended for any period of time.

 

Set an inactivity interval of 20 minutes or less for the screen saver

Setting an inactivity interval for Screen Saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time. An inactivity interval of 20 Minutes or less is usually considered a best practice. The macOS CIS benchmark states that this can prevent an unauthorized user from accessing a system that is left unattended.

 

Ensure at least one Hot Corner is set to start Screen Saver or put the display to sleep

A Hot Corner can be used to quickly lock the screen when a user steps away from their computer. By keeping the computer locked while the user is away, the risk of unauthorized access from someone nearby is reduced. If a user does not have at least one Hot Corner set to "Start Screen Saver" then the specified corner will be assigned. If a user does have any existing Hot Corners set to "Start Screen Saver" then no action will be taken.

 

Secure screen saver corners

Hot Corners can also be used to quickly disable Screen Saver, which poses a potential security risk. The CIS benchmark (macOS) states that an unauthorized person could use this configuration to bypass the lock screen and gain access to the system without needing any login credentials.

 

Sudo

Reduce sudo timeout period

The sudo command lets the user run programs as the root user, granting them high levels of configurability within the system. The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. The macOS CIS benchmark states that this is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user.

 

Use a separate timestamp for each user/tty combo

The sudo command should be configured to prompt for an administrator's password at least once in each newly opened Terminal window or remote session. In combination with removing the sudo timeout grace period, this can prevent the risk of privilege escalation of background processes, or a malicious user taking advantage of an unlocked computer or abandoned session. 

 

Privacy

Enable Location Services

Organizations may have a policy to enable or disable Location Services for all managed endpoints. There are considerations for either setting, depending on organizational concerns. Location Services can simplify log and time management when computers change time zones, but the CIS benchmark (macOS) states that the resultant privacy concerns may be an overriding factor. However, enabling location services simplifies many processes when changing time zones.

 

Monitor Location Services

If an organization chooses to allow or force Location Services to be enabled, it is recommended they have a way to monitor its usage. Privacy controls should be monitored for appropriate settings. Kandji will report on what is listed in System Preferences > Security & Privacy > Privacy > Location Services.

 

Disallow sending diagnostic and usage data to Apple

Apple provides an option to send diagnostic and usage data back to Apple to help improve the platform. This information can contain internal organizational information that should be controlled and not available for processing by Apple. The macOS CIS benchmark recommends that you prevent macOS from sharing diagnostics and usage data with Apple or crash data with app developers. Note that this does not prevent sharing iCloud analytics with Apple.

 

Certificates

Enable OCSP and CRL certificate checking

Certificates should only be trusted if they have both a satisfactory trust chain and they have not been revoked. The CIS benchmark (macOS) states that the OS can check whether the certificate is still valid based on issued parameters within the certificate. A rogue or compromised certificate should not be trusted.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

Filesystem

Finder

Turn on filename extensions

A filename extension is a suffix added to a base filename that indicates the base filename’s file format. Visible filename extensions allow for the user to identify file types and the applications that files are associated with. According to the macOS CIS benchmark, this can lead to the identification of misrepresented or malicious files.

 

Disk Encryption

Enable FileVault

FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. The macOS CIS benchmark states that encrypting sensitive data reduces the likelihood that an unauthorized user will gain access to it.

 

Ensure all user storage APFS volumes are encrypted

In order to protect user data from loss or tampering, volumes carrying data should be encrypted. In Kandji, this parameter reports on the encryption status of all volume types, but only creates an alert when unencrypted CoreStorage or APFS volumes are found.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

File and Folder Permissions

System Integrity Protection status

System Integrity Protection restricts access to parts of the file system and sensitive system settings. It is highly recommended that SIP always remain enabled unless a specific reason is identified to disable it. According to the CIS benchmark (macOS), using a system without SIP enabled leaves it vulnerable to modifications to system binaries or code injections of system processes.

 

Check System Wide Applications for appropriate permissions

Verifies applications located anywhere within the /Applications directory are not world writable. Applications found to be out of compliance will have their permissions changed to be world executable. According to the macOS CIS benchmark, unauthorized modification of applications could leave the system vulnerable to malicious code.

 

Check Library folder for world writable files

Verifies directories in /Library aren't set to be world writable. Software sometimes insists on being installed in the /Library Directory, thus has been given inappropriate world writable permissions. Directory exclusions can be created for Kandji to skip over specified folders; this is useful for applications that don't function properly if their directories are modified to comply with this parameter.

Note: Test thoroughly before mass deployment. Certain applications do not function properly if their associated directories in /Library aren't world writable.

 

Check System folder for world writable files

Software sometimes insists on being installed in the /System Directory, giving the software inappropriate world writable permissions. This control verifies directories in /System aren't set to be world writable, which the macOS CIS benchmark recommends.

 

Secure Home Folders

macOS allows, by default, all valid users into the top level of every other user's home folder and restricts access to the Apple default folders within. Allowing all users to view the top level of all networked user’s home folder could lead to the discovery of sensitive information, and it is highly recommended to modify user home folder permissions to disallow any access that opens up such vulnerabilities.

 

Auditing & Logging

Auditing Policies

Enable security auditing

Ensures auditd (macOS’ audit facility) is loaded. Auditd receives notifications from the kernel when certain system calls are made, such as open, fork, and exit. These notifications are captured and written to an audit log. According to the macOS CIS benchmark, these logs contain important information if a security incident occurs, such as which application is vulnerable or the behavior of the person who caused the security incident.  

                                    

Configure security auditing flags

Allows for the configuration of audit_control flags so that security auditing will log critical event types. According to the macOS CIS benchmark, maintaining an audit trail of system activity logs preserves evidence that might shed light on a system attack or compromise. Setting security auditing flags can also be used to troubleshoot service disruptions and find configuration errors.

 

Ensure security auditing retention

Ensures proper log retention for security auditing. The macOS audit capabilities are only useful if they are retained long enough to be reviewed by technical staff when needed. Retention can be set in terms of size or longevity. The macOS CIS benchmark states that the recommended log retention for most environments is at least 60 days or 1GB (1024MB).

 

Control access to audit records

Audit records should never be changed except by the system daemon posting events. Otherwise, an attacker can obfuscate changes that point to malicious activity. For this reason, the CIS benchmark (macOS) suggests that authoritative files should be protected from unauthorized changes. These records can be set to read-only rights with no other access allowed.

 

Ensure Firewall is configured to log

When the firewall is turned on in the Security PreferencePane, the socketfilter firewall is put into use. In order to effectively monitor what access is and is not allowed, the CIS benchmark (macOS) recommends enabling firewall logging.

 

Date & Time

Ensure “Set time and date automatically”

The CIS benchmark (macOS) notes that correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. If the time on the Mac is off by more than 5 minutes, Apple’s single sign-on feature and active directory logins may be affected. Setting date and time automatically, and following other date and time CIS controls, can help avoid these issues.

 

Ensure time is within appropriate limits

Accurate time is required for many computer functions to operate properly. This control check ensures that time on the computer is within an acceptable limit. While truly accurate time would be measured to the millisecond, according to the macOS CIS benchmark, date and time CIS controls allow for a drift of four and a half minutes.7lp

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

Network

Firewall

Enable Firewall

A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall. Enabling Firewall minimizes the threat of unauthorized users from gaining access to the system while connected to a network or the Internet, according to the macOS CIS benchmark.

 

Enable stealth mode

While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic. The CIS benchmark (macOS) states that stealth mode on Firewall mitigates the threat of system discovery tools while connected to a network or the Internet.

 

Review Application Firewall Rules

A computer should have a limited number of applications open to incoming connectivity. This rule will check for whether there are more than 10 rules for inbound connections.

 

Sharing

Disable Screen Sharing

Screen sharing is a feature that lets computers on the same network connect to one another and to display the same screen. While sharing screens, the user can control the actions on that computer. The macOS CIS benchmark states that disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer.

 

Disable File Sharing

Apple’s File Sharing feature uses a combination of SMB (Windows sharing) and AFP (Mac sharing). According to the CIS benchmark (macOS), by disabling file sharing, the risk of unauthorized access to files stored on the system can be reduced.

 

Disable Printer Sharing

When Printer Sharing is enabled, the computer is established as a print server to accept print jobs from other computers. Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system. Using dedicated print servers or direct IP printing should be used instead.

 

Disable Remote Login

Remote Login is a feature that allows an interactive terminal connection to a computer. Disabling Remote Login can safeguard systems from unauthorized persons gaining access to the Secure Shell (SSH).

 

Disable Remote Management

Remote Management can be used by remote administrators to view the current Screen, install software, report on, and manage client Mac devices. Remote Management should only be enabled on trusted networks because mobile devices without strict controls are vulnerable to exploit and monitoring.

 

Disable Remote Apple Events

Remote Apple Events allow one program to communicate with another from a different computer. By disabling this, users can reduce the risk of an unauthorized program gaining access to the system.

 

Disable Internet Sharing

Internet sharing allows one computer to share an internet connection with others on a local network, letting the Mac act as a router that can share a connection with potentially dangerous devices. Disabling Internet Sharing reduces the remote attack surface of the system.

 

Disable Bluetooth Sharing

Bluetooth Sharing allows files to be exchanged using Bluetooth-enabled devices. The CIS benchmark (macOS) recommends disabling Bluetooth Sharing to lower the risk of an attacker remotely accessing the system via Bluetooth.

 

Disable DVD or CD Sharing

DVD or CD sharing allows other users to remotely access the system’s optical drive. Disabling this feature will minimize the risk of an attacker accessing the optical drive and using it as a vector to expose sensitive data.

 

Ensure HTTP server is not running

Web serving should not be done from a user desktop. Dedicated web servers or appropriate cloud storage should be used. The CIS benchmark (macOS) states that open ports make it easier to exploit the computer.

 

Ensure NFS server is not running

NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user’s computer. File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer.

 

AirDrop

Disallow AirDrop

The CIS documentation notes that AirDrop is a very safe platform, using various file transfer security measures, such as TSL encryption and the ability to share files without requiring open ports. That said, some environments that do not use Bluetooth and Wireless might want to disable AirDrop by blocking its necessary interfaces. Organizations that have disabled USB and other pluggable storage mechanisms and have blocked all unmanaged cloud and transfer solutions for DLP may want to disallow AirDrop or restrict to 'Contacts Only' sharing.

 

Wi-Fi

Enable “Show Wi-Fi status in menu bar”

Enabling "Show Wi-Fi status in menu bar" is a security awareness method that helps mitigate public area wireless exploits by making the user aware of their wireless connectivity status.

 

Bluetooth

Turn off Bluetooth if no paired devices exist

If no paired devices exist, Bluetooth should be turned off. As the macOS CIS benchmark states, Bluetooth is susceptible to security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access to data, and unauthorized device control.

 

Bluetooth “Discoverable” is only available when Bluetooth preference pane is open

When a Bluetooth device is discoverable, it broadcasts information about itself and its location. The CIS benchmark (macOS) states that, when in the discoverable state, an unauthorized user could gain access to the system by pairing it with a remote device.

 

Show Bluetooth status in menu bar

Showing Bluetooth status in the menu bar is a security awareness method that informs the user about the current state of Bluetooth. Knowing if Bluetooth is enabled, discoverable, or paired with another device can keep the user informed.

 

Bonjour

Disable Bonjour advertising service

Bonjour is an auto-discovery mechanism for TCP/IP devices that enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.

 

Hardware

EF

Ensure EFI version is valid and being regularly checked

Runs the built-in macOS firmware checker on a daily basis to ensure the EFI version running is a known good version from Apple. Note that this firmware checker is incompatible with T2-equipped Mac devices. If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either.

 

Camera

iSight Camera Privacy and Confidentiality Concerns

This control disables all use of the built-in camera. If a camera is present in an area where privacy concerns or sensitive imagery take place, the CIS benchmark (macOS) recommends disabling or covering the camera to lower the risk of access by attackers.

 

Infrared

Pair the remote control infrared receiver if enabled

An infrared remote can be used from a distance to circumvent physical security controls. According to the macOS CIS benchmark, a remote could also be used to page through a document or presentation, thus revealing sensitive information, so if a remote is not needed, disable the remote control infrared receiver.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

macOS Application & Services

Software Update

Enable Auto Update

Automatically checking for updates makes it easier for the user to know when updates are available. It is important that a system has the newest updates applied to prevent unauthorized persons from exploiting identified vulnerabilities.

 

Enable system data files and security update installs

This control ensures that system and security updates are installed after they are available from Apple. According to the CIS benchmark (macOS), staying up to date on patches is necessary to reduce the risk of vulnerabilities being exploited.

 

Enable macOS update installs

This setting allows macOS updates to be installed automatically once they are available from Apple. Because patches need to be applied as soon as possible, allowing for automatic updates ensures that the user’s device is updated in a timely manner rather than be left vulnerable to additional security risks.

 

Enable app update installs

By automatically installing app store updates in the background, the user safeguarded from potential vulnerabilities in the previous version of the App Store.

 

 

Safari

Disable the automatic run of safe files in Safari

Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files includes text, image, video and archive formats that would be run in the context of the OS rather than the browser.

 

Safari disable internet Plugins for global use

Instead of using a global approach where the Plug-in is either on or off for all sites the default decision is about allowing, not allowing, or allowing permanently for a specific site that is visited.

 

Gatekeeper

Enable Gatekeeper

Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. According to the CIS benchmark (macOS), disallowing unsigned software will reduce the risk of malicious applications from running on the system.

 

Terminal

Enable Secure Keyboard Entry in terminal.app

Secure Keyboard Entry prevents other applications on the system and/or  network from detecting and recording what is typed into Terminal. Enabling this feature can minimize the risk of a key logger identifying the keys entered into the Terminal, according to the macOS CIS benchmark.

 

iCloud

iCloud Desktop & Documents Sync

The automatic synchronization of all files in a user's Documents folder should be disabled. Automated Document synchronization should be planned and controlled to approved storage.

 

iCloud Keychain

The iCloud keychain is a password manager that operates on macOS and iOS. It lets users store passwords for use in Safari. The CIS benchmark (macOS) states that the iCloud keychain should be used consistently with organizational requirements.

 

iCloud Drive

iCloud Drive is a storage solution used for applications on macOS and iOS. Organizations that are concerned with maintaining more control over their data and how it is used should turn off iCloud Drive.

 

Energy Saver

Disable “Wake for network access”

The “wake for network access” feature enables other users to access a computer’s shared resources even if the computer is in sleep mode. The macOS CIS benchmark states disabling the “wake for network access” feature could mitigate the risk of an attacker remotely waking the system to gain access to it.

 

Siri

Siri on macOS

In cases where sensitive and protected data is processed and Siri could help a user navigate their machine and expose that information, Siri should be disabled. The CIS benchmark (macOS) states that this control disables the Siri service, and removes Siri icons from the Dock, Touch Bar, and menu bar.

 

System Preferences

Require an administrator password to access system-wide preferences

System Preferences controls system and user settings on a macOS device. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. According to the macOS CIS benchmark, some of the settings should only be altered by the person responsible for the computer.

 

Kandji can enforce and remediate all of these CIS controls. Learn more here.

 

Time Machine

Time Machine Auto-Backup

Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist.

 

Time Machine Volumes are Encrypted

While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes. Backup Time Machine volumes need to be encrypted, as stated in the macOS CIS benchmark.

 

Third-Party Applications & Services

Java

Java 6 is not the default Java runtime

Java has been one of the most exploited environments, and Java 6 is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The macOS CIS benchmark states that the EOL version may still be installed and should be removed from the computer or not be in the default path.

 

 

Kandji Makes CIS Compliance Simple

Now that you’ve scrolled through the checklist, you’ve seen first-hand just how demanding CIS compliance can be. Keeping all of those controls maintained and updated with new iterations of macOS (thus new CIS compliance standards) could be a costly and time-consuming endeavor. Thankfully, Kandji makes it easy.

Our one-click CIS compliance feature is perfect for organizations that need hassle-free CIS compliance. With over 150 pre-built device controls, Kandji gives your IT team the power it needs to keep your Mac fleet safe and secure. That means you can skip the coding and say hello to fast and easy CIS compliance. We have even been awarded the CIS Security Software Certification for CIS Benchmark, recognizing us as a CIS partner.

cis-compliance-for-macos-benchmark

Kandji makes CIS compliance a breeze, letting you enable the entire CIS benchmark with a single click. Securing your fleet has never been easier!

Request access to Kandji today.

 

Share post
Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month