Merge branch 'tahoe'

macOS Tahoe Guidance Release

Author: robertgendler

CHANGELOG.md

@@ -2,161 +2,70 @@
 
 This document provides a high-level view of the changes to the macOS Security Compliance Project.
 
-## [Sequoia, Revision 2.0] - 2025-07-01
-* Rules
-  * Added Rules
-    * os_mail_smart_reply_disable
-    * os_notes_transcription_disable
-    * os_notes_transcription_summary_disable
-    * os_safari_reader_summary_disable
-    * os_sshd_per_source_penalties_configure
-  * Modified Rules
-    * os_genmoji_disable.yaml
-    * os_implement_cryptography.yaml
-    * os_iphone_mirroring_disable.yaml
-    * os_mail_summary_disable.yaml
-    * os_nfsd_disable.yaml
-    * os_parental_controls_enable.yaml
-    * os_password_hint_remove.yaml
-    * os_power_nap_disable.yaml
-    * os_separate_functionality.yaml
-    * os_sleep_and_display_sleep_apple_silicon_enable.yaml
-    * os_sudo_log_enforce.yaml
-    * os_time_server_enabled.yaml
-    * os_unlock_active_user_session_disable
-    * os_writing_tools_disable.yaml
-    * pwpolicy_50_percent.yaml
-    * pwpolicy_history_enforce.yaml
-    * pwpolicy_upper_case_character_enforce.yaml
-    * supplemental_cis_manual.yaml
-    * system_settings_automatic_login_disable.yaml
-    * system_settings_bluetooth_sharing_disable.yaml
-    * system_settings_content_caching_disable.yaml
-    * system_settings_external_intelligence_disable.yaml
-    * system_settings_external_intelligence_sign_in_disable.yaml
-    * system_settings_guest_access_smb_disable.yaml
-    * system_settings_guest_account_disable.yaml
-    * system_settings_improve_assistive_voice_disable.yaml
-    * system_settings_improve_search_disable.yaml
-    * system_settings_internet_sharing_disable.yaml
-    * system_settings_loginwindow_loginwindowtext_enable.yaml
-    * system_settings_loginwindow_prompt_username_password_enforce.yaml
-    * system_settings_media_sharing_disabled.yaml
-    * system_settings_password_hints_disable.yaml
-    * system_settings_printer_sharing_disable.yaml
-    * system_settings_rae_disable.yaml
-    * system_settings_remote_management_disable.yaml
-    * system_settings_screen_sharing_disable.yaml
-    * system_settings_screensaver_ask_for_password_delay_enforce.yaml
-    * system_settings_screensaver_timeout_enforce.yaml
-    * system_settings_siri_disable.yaml
-    * system_settings_siri_listen_disable.yaml
-    * system_settings_smbd_disable.yaml
-    * system_settings_software_update_enforce.yaml
-    * system_settings_ssh_disable.yaml
-    * system_settings_time_server_configure.yaml
-    * system_settings_time_server_enforce.yaml
-    * system_settings_wake_network_access_disable.yaml
-  * Bug Fixes
-* Baselines
-    * Updated CIS to v1.1.0
-    * Updated DISA STIG Ver 1, Rel 3
-* Scripts
-  * generate_guidance
-    * bug fixes
-  * generate_scap.py
-    * bug fixes
-
-## [Sequoia, Revision 1.1] - 2024-12-16
+## [Tahoe, Revision 1.0] - 2025-09-11
 
 * Rules
   * Added Rules
-    * os_iphone_mirroring_disable
-    * os_mail_summary_disable
-    * os_photos_enhanced_search_disable
-    * system_settings_external_intelligence_disable
-    * system_settings_external_intelligence_sign_in_disable
+    * os_loginwindow_adminhostinfo_disabled
+    * os_safari_clear_history_disable
+    * os_safari_private_browsing_disable
+    * os_skip_apple_intelligence_enable
+    * system_settings_download_software_update_enforce
+    * system_settings_security_update_install
   * Modified Rules
-    * os_sleep_and_display_sleep_apple_silicon_enable
-    * os_sudo_log_enforce
+    * audit_auditd_enabled
+    * os_appleid_prompt_disable
+    * os_authenticated_root_enable
+    * os_external_storage_access_defined
+    * os_httpd_disable
+    * os_icloud_storage_prompt_disable
+    * os_network_storage_restriction
+    * os_privacy_setup_prompt_disable
+    * os_recovery_lock_enable
+    * os_screensaver_loginwindow_enforce
+    * os_secure_boot_verify
+    * os_siri_prompt_disable
+    * os_skip_screen_time_prompt_enable
+    * os_skip_unlock_with_watch_enable
+    * os_tftpd_disable
+    * os_time_server_enabled
+    * os_touchid_prompt_disable
+    * os_unlock_active_user_session_disable
     * os_world_writable_library_folder_configure
-    * os_password_autofill_disable
-    * pwpolicy_alpha_numeric_enforce
-    * pwpolicy_custom_regex_enforce
-    * pwpolicy_lower_case_character_enforce.yaml
+    * os_uucp_disable
+    * pwpolicy_account_lockout_enforce
+    * pwpolicy_account_lockout_timeout_enforce
+    * pwpolicy_history_enforce
+    * pwpolicy_lower_case_character_enforce
     * pwpolicy_max_lifetime_enforce
+    * pwpolicy_minimum_length_enforce
     * pwpolicy_minimum_lifetime_enforce
-    * pwpolicy_history_enforce
-    * pwpolicy_account_lockout_timeout_enforce
-    * pwpolicy_account_lockout_enforce
-    * pwpolicy_prevent_dictionary_words
-    * pwpolicy_simple_sequence_disable
     * pwpolicy_special_character_enforce
-    * pwpolicy_upper_case_character_enforce.yaml
-    * system_settings_improve_assistive_voice_disable
+    * pwpolicy_upper_case_character_enforce
+    * system_settings_bluetooth_sharing_disable
+    * system_settings_hot_corners_secure
+    * system_settings_location_services_disable
+    * system_settings_location_services_enable
+    * system_settings_screen_sharing_disable
+    * system_settings_ssh_disable
+    * system_settings_time_machine_encrypted_configure
   * Removed Rules
-    * system_settings_cd_dvd_sharing_disable
+    * os_loginwindow_adminhostinfo_undefined
+    * os_show_filename_extensions_enable
+    * system_settings_security_update_install
+    * system_settings_software_update_enforce
   * Bug Fixes
-* Baselines
-  * Added DISA STIG v1r1
-  * Added CIS Level (Draft -> Final)
-  * Updated CNSSI-1253
-
-## [Sequoia, Revision 1.0] - 2024-09-12
-
-* Rules
-  * Added Rules
-    * os_genmoji_disable
-    * os_image_generation_disable
-    * os_iphone_mirroring_disable
-    * os_sudo_log_enforce
-    * os_writing_tools_disable
-  * Modified Rules
-    * os_anti_virus_installed
-    * os_gatekeeper_enable
-    * os_ssh_fips_compliant
-    * system_settings_firewall_enable
-    * system_settings_firewall_stealth_mode_enable
-    * system_settings_gatekeeper_identified_developers_allowed
-    * system_settings_media_sharing_disabled
-    * DDM Support
-      * auth_pam_login_smartcard_enforce
-      * auth_pam_su_smartcard_enforce
-      * auth_pam_sudo_smartcard_enforce
-      * auth_ssh_password_authentication_disable
-      * os_external_storage_restriction
-      * os_network_storage_restriction
-      * os_policy_banner_ssh_enforce
-      * os_sshd_channel_timeout_configure
-      * os_sshd_client_alive_count_max_configure
-      * os_sshd_client_alive_interval_configure
-      * os_sshd_fips_compliant
-      * os_sshd_login_grace_time_configure
-      * os_sshd_permit_root_login_configure
-      * os_sshd_unused_connection_timeout_configure
-      * os_sudo_timeout_configure
-      * pwpolicy_account_lockout_enforce
-      * pwpolicy_account_lockout_timeout_enforce
-      * pwpolicy_alpha_numeric_enforce
-      * pwpolicy_custom_regex_enforce
-      * pwpolicy_history_enforce
-      * pwpolicy_max_lifetime_enforce
-      * pwpolicy_minimum_length_enforce
-      * pwpolicy_simple_sequence_disable
-      * pwpolicy_special_character_enforce
-    * Removed Rules
-      * os_firewall_log_enable
-      * os_gatekeeper_rearm
-      * os_safari_popups_disabled
-    * Bug Fixes
 * Baselines
   * Modified existing baselines
-  * Updated 800-171 to Revision 3
 * Scripts
   * generate_guidance
-    * Support for Declarative Device Management (DDM)
-    * Added support for severity
-  * generate_baseline
-  * generate_mappings
+    * Added flag for consolidated configuration profile
+    * Updated DDM logic for nested keys
+    * Added shell check to compliance script
+    * Updated current user check in compliance script
+    * Support for Managed Arguments in compliance script
+    * Bug Fixes
   * generate_scap
-    * Added support for severity
+    * Support for oval 5.12.1
+    * Support for scap 1.4
+    * Added shellcommand for all tests

README.md

@@ -1,7 +1,7 @@
 ![Alt text](templates/images/mscp_banner_outline.png)
 
 ![Alt text](https://badgen.net/badge/icon/apple?icon=apple&label)
-![Alt text](https://badgen.net/badge/icon/15.0?icon=apple&label)
+![Alt text](https://badgen.net/badge/icon/26.0?icon=apple&label)
 
 > [!IMPORTANT]
 > We recommend working off of one of the OS branches, rather than the `main` branch.
@@ -14,7 +14,7 @@ Apple acknowledges the macOS Security Compliance Project with information on the
 
 This project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements defined in NIST SP 800-53 (Rev. 5). It can also be used to develop customized guidance to meet the particular cybersecurity needs of any organization.
 
-To learn more about the project, please see the [wiki](https://github.com/usnistgov/macos_security/wiki).
+To learn more about the project, [click here](http://pages.nist.gov/macos_security/).
 
 If you are interested in supporting the development of the project, refer to the [contributor guidance](CONTRIBUTING.md) for more information.
 
@@ -35,7 +35,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST
 |Dan Brodjieski|NASA
 |John Mahlman IV|Leidos
 |Aaron Kegerreis|DISA
-|Henry Stamerjohann|Zentral Pro Services GmbH
+|Henry Stamerjohann|Declarative IT GmbH
 |Marco A Piñeryo II|State Department
 |Jason Blake|NIST
 |Blair Heiserman|NIST

VERSION.yaml

@@ -1,5 +1,5 @@
-os: "15.0"
+os: "26.0"
 platform: macOS
-version: "Sequoia Guidance, Revision 2.0"
-cpe: o:apple:macos:15.0
-date: "2025-07-01"
+version: "Tahoe Guidance, Revision 1.0"
+cpe: o:apple:macos:26.0
+date: "2025-09-11"

baselines/800-171.yaml

@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST 800-171 Rev 3"
+title: "macOS 26.0: Security Configuration - NIST 800-171 Rev 3"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST 800-171 Rev 3 security baseline.
+  This guide describes the actions to take when securing a macOS 26.0 system against the NIST 800-171 Rev 3 security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -78,10 +78,10 @@ profile:
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
-      - os_image_generation_disable
+      - os_image_playground_disable
       - os_iphone_mirroring_disable
       - os_ir_support_disable
-      - os_loginwindow_adminhostinfo_undefined
+      - os_loginwindow_adminhostinfo_disabled
       - os_mail_smart_reply_disable
       - os_mail_summary_disable
       - os_mdm_require
@@ -104,6 +104,7 @@ profile:
       - os_screensaver_loginwindow_enforce
       - os_sip_enable
       - os_siri_prompt_disable
+      - os_skip_apple_intelligence_enable
       - os_skip_screen_time_prompt_enable
       - os_skip_unlock_with_watch_enable
       - os_ssh_fips_compliant

baselines/800-53r5_high.yaml

@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
+title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 High Impact"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
+  This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 High Impact security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -85,10 +85,10 @@ profile:
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
-      - os_image_generation_disable
+      - os_image_playground_disable
       - os_iphone_mirroring_disable
       - os_ir_support_disable
-      - os_loginwindow_adminhostinfo_undefined
+      - os_loginwindow_adminhostinfo_disabled
       - os_mail_smart_reply_disable
       - os_mail_summary_disable
       - os_mdm_require
@@ -114,6 +114,7 @@ profile:
       - os_setup_assistant_filevault_enforce
       - os_sip_enable
       - os_siri_prompt_disable
+      - os_skip_apple_intelligence_enable
       - os_skip_unlock_with_watch_enable
       - os_ssh_fips_compliant
       - os_ssh_server_alive_count_max_configure
@@ -184,6 +185,7 @@ profile:
       - system_settings_screensaver_ask_for_password_delay_enforce
       - system_settings_screensaver_password_enforce
       - system_settings_screensaver_timeout_enforce
+      - system_settings_security_update_install
       - system_settings_siri_disable
       - system_settings_siri_settings_disable
       - system_settings_smbd_disable

baselines/800-53r5_low.yaml

@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
+title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Low Impact"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
+  This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Low Impact security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -76,7 +76,7 @@ profile:
       - os_handoff_disable
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
-      - os_image_generation_disable
+      - os_image_playground_disable
       - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_mail_smart_reply_disable
@@ -98,6 +98,7 @@ profile:
       - os_safari_reader_summary_disable
       - os_sip_enable
       - os_siri_prompt_disable
+      - os_skip_apple_intelligence_enable
       - os_skip_unlock_with_watch_enable
       - os_ssh_fips_compliant
       - os_sshd_fips_compliant
@@ -151,6 +152,7 @@ profile:
       - system_settings_remote_management_disable
       - system_settings_screen_sharing_disable
       - system_settings_screensaver_timeout_enforce
+      - system_settings_security_update_install
       - system_settings_siri_disable
       - system_settings_siri_settings_disable
       - system_settings_smbd_disable

baselines/800-53r5_moderate.yaml

@@ -1,6 +1,6 @@
-title: "macOS 15.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
+title: "macOS 26.0: Security Configuration - NIST SP 800-53 Rev 5 Moderate Impact"
 description: |
-  This guide describes the actions to take when securing a macOS 15.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
+  This guide describes the actions to take when securing a macOS 26.0 system against the NIST SP 800-53 Rev 5 Moderate Impact security baseline.
 
   Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
 authors: |
@@ -83,10 +83,10 @@ profile:
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
-      - os_image_generation_disable
+      - os_image_playground_disable
       - os_iphone_mirroring_disable
       - os_ir_support_disable
-      - os_loginwindow_adminhostinfo_undefined
+      - os_loginwindow_adminhostinfo_disabled
       - os_mail_smart_reply_disable
       - os_mail_summary_disable
       - os_mdm_require
@@ -112,6 +112,7 @@ profile:
       - os_setup_assistant_filevault_enforce
       - os_sip_enable
       - os_siri_prompt_disable
+      - os_skip_apple_intelligence_enable
       - os_skip_unlock_with_watch_enable
       - os_ssh_fips_compliant
       - os_ssh_server_alive_count_max_configure
@@ -181,6 +182,7 @@ profile:
       - system_settings_screensaver_ask_for_password_delay_enforce
       - system_settings_screensaver_password_enforce
       - system_settings_screensaver_timeout_enforce
+      - system_settings_security_update_install
       - system_settings_siri_disable
       - system_settings_siri_settings_disable
       - system_settings_smbd_disable