This release strengthens data-at-rest encryption, browser hardening, screen-lock enforcement, audit logging, password history, and core system services across macOS Tahoe (26). It also removes the two Rapid Security Response rules.
Note
These changes apply only to default Benchmarks and cloned Benchmarks that already contain these rules. If a rule is not currently included in your Benchmark, you'll need to add it manually.
Several of these changes may affect the end-user experience. Review the updated configurations before deploying them broadly.
What's New
New Rules
os_internal_apfs_volumes_encrypted
Benchmark: CIS Level 1
Requires internal APFS volumes to be encrypted, protecting data at rest on the Mac's built-in storage.
os_external_apfs_hfs_volumes_encrypted
Benchmark: CIS Level 1
Requires external APFS and HFS volumes to be encrypted, protecting data stored on removable and external drives.
system_settings_hot_corners_secure
Benchmark: CIS Level 1
Prevents screen hot corners from being configured to disable the screen saver, helping ensure users cannot bypass automatic screen locking.
os_safari_allow_javascript_disable
Benchmark: NIST 800-53 R5 (High)
Disables JavaScript in Safari to reduce the browser's attack surface.
Updated Rules
os_root_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CIS Level 1
- CMMC Level 1
- CMMC Level 2
- Cyber Essentials
- DISA STIG
Disables the root account to prevent direct root login.
Important: The remediation for this rule has been significantly strengthened in this release. Review the changes before broad deployment.
os_authenticated_root_enable
Benchmarks:
- NIST 800-53 R5 (High)
- CIS Level 1
- CMMC Level 1
- CMMC Level 2
- DISA STIG
Ensures the signed system volume (Authenticated Root) is enabled so macOS verifies system integrity during startup.
os_firewall_default_deny_require
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 2
Requires the firewall to deny inbound connections by default.
os_nfsd_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CIS Level 1
- CMMC Level 1
- CMMC Level 2
- DISA STIG
Disables the NFS file-sharing service to reduce the system's attack surface.
os_tftpd_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 1
- CMMC Level 2
- Cyber Essentials
- DISA STIG
Disables the TFTP service to reduce the system's attack surface.
os_uucp_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 1
- CMMC Level 2
- DISA STIG
Disables the legacy UUCP service to reduce the system's attack surface.
os_ssh_fips_compliant
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 2
- DISA STIG
Restricts SSH to FIPS 140-validated cryptographic algorithms, including ciphers, key exchange methods, and MACs.
audit_flags_fm_configure
Benchmarks:
- CMMC Level 2
- DISA STIG
Configures audit logging for file modification events.
audit_flags_fm_failed_configure
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 2
Configures audit logging for failed file modification events.
audit_retention_configure
Benchmark: CIS Level 1
Updates audit log retention to a time-based policy of 30 days.
pwpolicy_history_enforce
Benchmark: CIS Level 1
Enforces password history to prevent users from reusing recent passwords.
system_settings_screensaver_timeout_enforce
Benchmark: CIS Level 1
Enforces a maximum idle timeout before the screen saver activates and the screen locks.
system_settings_guest_access_smb_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CIS Level 1
- CMMC Level 1
- CMMC Level 2
Disables guest access to SMB file shares.
system_settings_location_services_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 2
- DISA STIG
Disables Location Services.
system_settings_softwareupdate_current
Benchmarks:
- NIST 800-53 R5 (High)
- CIS Level 1
- CMMC Level 1
- CMMC Level 2
- Cyber Essentials
- DISA STIG
Ensures Macs are running the current version of macOS with all available security updates installed to address known vulnerabilities.
Removed Rules
os_rapid_security_response_allow
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 1
- CMMC Level 2
- Cyber Essentials
Removed from this release.
os_rapid_security_response_removal_disable
Benchmarks:
- NIST 800-53 R5 (High)
- CMMC Level 1
- CMMC Level 2
- Cyber Essentials
Removed from this release.