Safari Status Bar no longer a requirement within NIST? #117
Replies: 3 comments 2 replies
-
|
The @usnistgov/itl-applesec repository was for the NIST SP 800-179 which was more of a guideline of best practices for macOS 10.12. The macOS Security Compliance is more focused on mapping settings within the operating system to the NIST 800-53 (and other compliance frameworks). While that setting in Safari is useful to inform the user, we feel as though it doesn't really map to any compliance setting we are aware of within the supported baselines. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @robertgendler thank you for the response. Does any of these documents talk about why the removal of such checks (I think Secure Terminal Keyboard Entry was present earlier, but isn't now) while going from NIST SP 800-179 to NIST 800-53? Just in case there are reasons stated why such checks are not useful for a security baseline. Thank you for your response :) |
Beta Was this translation helpful? Give feedback.
-
|
There is not much explanation why things are removed. Some of the setting suggestions from the 179 will migrate to this project, but if there's a reason for a removal it is most likely due to it not being useful in the current macOS environment or it does not map to an 800-53 control. Or it's a setting we are unable to verify does anything. Or it's potentially done a different way. Using Secure Terminal Entry for example, ever since Privacy Preferences things and the removal of Kernel Extensions, this setting does basically nothing useful as a key logger requires both of those things and would be able to get valuable information regardless of that setting in Terminal. There seems to be no way to verify this setting is doing anything, so it was never added to the mSCP. Though I believe CIS still recommends it, so it may have a rule in the CIS branch. |
Beta Was this translation helpful? Give feedback.
-
|
@cricketer94 because I was curious about this setting and maybe making a rule file. I also asked the authors of the 179 about it and we all confirmed. It's no longer able to be set. You can't enforce it using a configuration profile, so with no manageable option it's gone. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @robertgendler. Sorry just saw this. Thanks for clarifying this! I suspected as much. Thank you so much for checking this out! |
Beta Was this translation helpful? Give feedback.
-
Hi, I used to refer to the older version of this repository, and noticed that the rule of enabling the Safari Status Bar seems to be no longer part of any of the baselines. Just wanted to ask why the rule was removed? (Sorry if this was discussed in some changelog, I couldn't seem to find it)
Beta Was this translation helpful? Give feedback.
All reactions