Skip to main content
  1. Addigy
  2. Product Updates
  3. Product Updates

Sequoia Compliance Benchmarks Guidance Revision 1.1

Updated:

 

Official Change logs: https://github.com/usnistgov/macos_security/releases/tag/sequoia_rev1.1

The Sequoia Release 1.1 introduces a comprehensive set of updates, refinements, and enhancements to its rule files, baselines, and compliance frameworks. This release focuses on improving rule definitions, adding new compliance identifiers, refining checks and fixes, and aligning with updated security standards such as NIST SP 800-53, CNSSI 1253, and DISA STIG. Below is a detailed summary of the key changes made in this release:

 

Major Updates to Compliance Rules

 

Additions of Compliance Identifiers

The release incorporates new STIG IDs, Control Correlation Identifiers (CCIs), and Security Requirements Guides (SRGs) into several rule files. These additions enhance traceability and compliance reporting:

  • Initial STIG IDs were added to rule files.
  • New CCIs were introduced to align rules with specific compliance requirements.
  • SRGs were added to STIG rules for better alignment with DISA STIG guidelines.

 

Refinements to Existing Rules

Several rules were updated for improved functionality and precision:

  • The pwpolicy_custom_regex_enforce rule saw the removal of an unneeded SRG and updates to the regex logic.
  • Rules such as os_ssh_fips_compliant and os_sshd_fips_compliant had their checks and fixes refined for better adherence to FIPS compliance.

  • The os_sudo_log_enforce rule was added with new STIG IDs and NIST 800-53 tags.

Additions, Modifications, and Deletions

Numerous rules were either added, modified, or removed based on evolving compliance needs:

  • Added rules include os_genmoji_disable, os_image_generation_disable, os_password_autofill_disable, os_sudo_log_enforce, and os_writing_tools_disable, among others.
  • Modified rules include updates to titles or checks for rules like system_settings_improve_search_disable and system_settings_improve_siri_dictation_disable.
  • Removed rules include os_directory_services_configured, os_ess_installed, and system_settings_cd_dvd_sharing_disable.

Updates for Specific Platforms

Rules were tailored for compatibility with specific platforms:

  • The rule os_sleep_and_display_sleep_apple_silicon_enable was added with an ARM64 tag for Apple Silicon devices.
  • Adjustments were made to sleep/display sleep configurations based on CIS changes.

Baseline File Updates

Baseline files underwent significant revisions to reflect the updated rule sets:

  • CNSSI 1253 baseline files were updated with low, moderate, and high tags.
  • CIS baseline files were updated for alignment with the latest CIS benchmarks.
  • DISA STIG baseline files were created or revised to reference Sequoia-specific configurations.

Compliance Framework Updates

NIST SP 800-53 and 800-171

The release includes updates to align with revisions in NIST standards:

  • Tags for NIST SP 800-53 and 800-171 were updated or removed where necessary.
  • Discussions in certain rules now reflect guidance from NIST SP 800-63 and Executive Order M-22-09.

 

CNSSI 1253 Tags

CNSSI tags were added to several rules for categorization under low, moderate, or high impact levels.

 

Fixes and Refinements

Bug Fixes

Numerous bugs were addressed in this release:

  • Fixed path issues in rules like system_settings_system_wide_preferences_configure.
  • Resolved regressions related to CIS benchmarks.
  • Addressed false negatives by adding unique identifiers in checks.

Simplifications

Certain fixes were simplified by removing unnecessary loops or redundant logic. For example:

  • SSH-related fixes were streamlined by removing unneeded iterations.

Improvements in Rule Logic

Enhancements were made to prevent errors such as double entries in configuration files or case sensitivity issues in commands.

New Features

External Intelligence Rules

  • New rules were added to disable external intelligence features for version 15.2 of the operating system.

Media Sharing Key Updates

  • Updates were made to media sharing keys as part of broader refinements.

Conclusion

Sequoia Release 1.1 represents a significant step forward in refining security configurations, enhancing compliance alignment, and addressing user feedback. By incorporating new compliance identifiers, updating baseline files, refining existing rules, and introducing new features like external intelligence disabling, this release ensures that Sequoia remains at the forefront of security standards adherence.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team