| Check Gatekeeper Status |
Verify that Gatekeeper is enabled to protect your Mac from potentially harmful software |
CIS Benchmark |
Enable Gatekeeper either by running 'sudo spctl --master-enable' in Terminal or by going to System Preferences -> Security & Privacy -> General, and selecting 'App Store and identified developers' under 'Allow apps downloaded from' |
High |
Gatekeeper is Enabled. |
|
| Check FileVault Status |
FileVault is a built-in disk encryption feature on macOS. This check verifies if FileVault is enabled or disabled on your device. |
CIS Benchmark |
To enable FileVault, go to System Preferences -> Security & Privacy -> FileVault, and click 'Turn On FileVault...' |
High |
FileVault is enabled. |
|
| Check System Integrity Protection (SIP) Status |
This check verifies if System Integrity Protection (SIP) is enabled on your computer. SIP helps protect your computer from unauthorized changes and enhances security. |
Security |
To enable SIP, restart your computer in Recovery Mode and run `csrutil enable` in Terminal. |
High |
SIP is enabled. |
|
| Check Firewall Status |
The firewall helps protect your device from unauthorized access. This check verifies if the firewall is enabled and configured correctly. |
CIS Benchmark |
To enable and configure the firewall, go to System Preferences -> Security & Privacy -> Firewall, click 'Turn On Firewall', and 'Firewall Options...' to block incoming connections. |
High |
Firewall is not enabled. |
|
| Check Certificate Trust Settings |
Check for potential issues with trusted certificates |
Security |
Review certificate trust settings and remove any untrusted or expired certificates |
High |
Certificate trust is OK. |
|
| Check If SSH Is Enabled |
Check if SSH is enabled and running |
CIS Benchmark |
Disable SSH or configure it securely by following the recommended practices |
High |
SSH is Enabled |
|
| iCloud Drive Status Check |
Verify that iCloud Drive is enabled to provide backup and sync features for data protection and device recovery |
CIS Benchmark |
Enable iCloud Drive by going to System Preferences > Apple ID > iCloud and checking the box next to iCloud Drive |
Medium |
iCloud Drive Document and Desktop sync is enabled. |
|
| Guest Login Status Check |
Verify that guest login is disabled to protect your Mac from unauthorized access |
CIS Benchmark |
Disable guest login by going to System Preferences > Users & Groups > Guest User and unchecking 'Allow guests to log in to this computer' |
Medium |
Guest Login is Disabled. |
|
| Check Siri Status |
Check if Siri is enabled |
Privacy |
Disable Siri by going to System Preferences > Siri and unchecking 'Enable Ask Siri' |
Low |
Siri is Disabled |
|
| Check Secure Kernel Extension Loading |
Verify that Secure Kernel Extension Loading is enabled to protect your Mac from potentially harmful kernel extensions |
CIS Benchmark |
Enable Secure Kernel Extension Loading by booting into Recovery Mode, opening Terminal, and running 'csrutil enable', then restart your Mac |
Medium |
Secure Kernel Extension Loading is Enabled |
|
| Check Sending Diagnostic and Usage Data to Apple Status |
Check if sending diagnostic and usage data to Apple is disabled |
Privacy |
Go to System Preferences > Security & Privacy > Privacy > Analytics & Improvements, and select 'Off' for 'Share Mac Analytics' |
Low |
Apple data share is enabled. |
|
| Check Java 6 Default Runtime Status |
Check if Java 6 is the default Java runtime. Java 6 is an outdated version and may expose your system to security risks. |
Security |
Install a newer version of Java and set it as the default runtime. Follow the instructions at https://www.java.com/en/download/help/download_options.xml to download and install the latest version of Java. |
High |
Java is up-to-date. |
|
| Check EFI Version is Valid and Regularly Checked |
Check if the EFI version is valid and being regularly checked on the system |
CIS Benchmark |
Upgrade to the latest EFI version and enable automatic checks |
Medium |
EFI version is valid but firmware update check has never been performed |
|
| Check Bonjour Advertising Service Status |
Check if Bonjour advertising service is disabled. Bonjour is a service that helps devices and applications discover each other on a local network. Disabling it can help prevent unauthorized access to your computer. |
Security |
Disable Bonjour advertising service by going to System Preferences > Sharing and unchecking all sharing services. |
Medium |
Bonjour service is running. |
|
| Check HTTP Server Status |
This check ensures that the HTTP server is not running on your system, which helps protect against potential security vulnerabilities. |
Security |
To disable the built-in Apache server or configure it securely, follow the instructions in the provided documentation link. |
Medium |
Apache Server is not Running. |
|
| Check NFS Server Status |
This check ensures that the NFS server is not running on your system, which helps protect against potential security vulnerabilities. |
Security |
To disable the NFS server or configure it securely, follow the instructions in the provided documentation link. |
Medium |
NFS Server is Disabled. |
|
| Check 'Show Password Hints' Status |
This check verifies if the 'Show password hints' option is disabled on your system, which helps protect against unauthorized access to your computer. |
Security |
To disable 'Show password hints', go to System Preferences > Users & Groups > Login Options, and uncheck the 'Show password hints' option. |
Medium |
Password Hint is Enabled |
|
| Check 'Allow guests to connect to shared folders' Status |
This check ensures that the 'Allow guests to connect to shared folders' option is disabled on your system, which helps protect against unauthorized access to your computer. |
Security |
To disable 'Allow guests to connect to shared folders', go to System Preferences > Sharing, and uncheck the 'Allow guests to connect to shared folders' option. |
Medium |
Allow guests to connect to shared folders' is enabled |
|
| Check Automatic Run of Safe Files in Safari |
This check ensures that the automatic run of safe files in Safari is disabled, which helps prevent the execution of malicious code. |
Security |
To disable the automatic run of safe files in Safari, go to Safari > Preferences > General, and uncheck the 'Open “safe” files after downloading' option. |
Medium |
automatic run of safe files in Safari is enabled |
|
| Check Safari Disable Internet Plugins for Global Use |
This check ensures that Internet plugins are disabled for global use in Safari, which helps prevent the execution of malicious code. |
Security |
To disable Internet plugins for global use in Safari, go to Safari > Preferences > Security, and uncheck the 'Allow Plug-ins' option. |
Medium |
Internet plugins are enabled for global use in Safari |
|
| Check Fast User Switching Status |
This check ensures that Fast User Switching is disabled on your system, which helps prevent unauthorized access to your computer. |
Security |
To disable Fast User Switching, go to System Preferences > Users & Groups > Login Options, and uncheck the 'Show fast user switching menu as' option. |
Medium |
Fast User Switching is enabled. |
|
| Check Filename Extension Status |
This check ensures that filename extensions are turned on in your system, which helps prevent users from accidentally running malicious files. |
Security |
To turn on filename extensions, go to Finder > Preferences > Advanced, and check the 'Show all filename extensions' option. |
Low |
Filename extension is enabled. |
|
| Check All Apple-Provided Software Is Updated In Last 30 Days |
Checks if all Apple-provided software is up-to-date using the Software Update tool. |
CIS Benchmark |
Run the Software Update tool to install the latest security patches and software updates from Apple. |
High |
Apple-provided Software is Updated in the last 30 days. |
|
| Check Auto Update Is Enabled |
Checks if the 'Download new updates when available' option is enabled in the App Store preferences. |
CIS Benchmark |
Enable the 'Download new updates when available' option in the App Store preferences:
1. Open 'System Preferences' on your Mac.
2. Click on 'Software Update'.
3. Check the box next to 'Automatically keep my Mac up to date'.
4. Click the 'Advanced...' button.
5. Make sure the 'Download new updates when available' option is checked. |
Medium |
Download New Updates When Available Is Not Enabled |
|
| Check 'Install Application Updates from the App Store' Is Enabled |
Check if 'Install app updates from the App Store' is enabled in the App Store preferences |
CIS Benchmark |
Enable 'Install app updates from the App Store' in the App Store preferences |
Medium |
Install app updates from the App Store' is Not enabled |
|
| Check Install Security Responses and System Files Is Enabled |
Check if 'Install system data files and security updates' is enabled in the App Store preferences |
Security |
Enable 'Install system data files and security updates' in the App Store preferences |
Medium |
Install system data files and security updates' is not enabled |
|
| Check 'Install system data files and security updates' Is Enabled |
Check if 'Install system data files and security updates' is enabled in the Software Update preferences |
CIS Benchmark |
Enable 'Install system data files and security updates' in the Software Update preferences |
Medium |
'Install system data files and security updates' is not enabled |
|
| Check Firewall Stealth Mode Is Enabled |
Firewall Stealth Mode makes your computer less visible on public networks by ignoring incoming requests. This check verifies if Firewall Stealth Mode is enabled. |
CIS Benchmark |
To enable Firewall Stealth Mode, go to 'System Preferences', click on 'Security & Privacy', select the 'Firewall' tab, click the lock to make changes, then click 'Firewall Options' and check 'Enable stealth mode'. |
Medium |
Check if Firewall Stealth Mode is enabled |
|
| Check AirDrop Is Disabled |
AirDrop is a convenient way to share files between Apple devices, but it can also pose a security risk if not used properly. This check verifies if AirDrop is disabled. |
CIS Benchmark |
To disable AirDrop, open Finder, click on 'Go' in the menu bar, select 'AirDrop', then click on 'Allow me to be discovered by:' and choose 'No One'. |
Medium |
AirDrop Is Enabled |
|
| Check 'Set Time and Date Automatically' Is Enabled |
This check ensures that your computer automatically updates its date and time settings. This helps maintain accurate timekeeping and prevent potential security issues. |
CIS Benchmark |
To enable automatic date and time updates, go to System Preferences > Date & Time and check the box next to 'Set date and time automatically'. |
Medium |
Set Time and Date Automatically is Enabled |
|
| Check Time Is Set Within Appropriate Limits |
This check verifies that your computer's system time is set within acceptable limits. Accurate system time is essential for the proper functioning of various applications and security features. |
CIS Benchmark |
To set the system time correctly, go to System Preferences > Date & Time, and make sure the 'Set date and time automatically' option is enabled. If necessary, manually adjust the date and time to match the current time. |
High |
The system time within the appropriate limits |
|
| Check DVD or CD Sharing Is Disabled |
This check ensures that your DVD or CD Sharing feature is disabled to prevent unauthorized access to your computer. |
CIS Benchmark |
To disable DVD or CD Sharing, go to System Preferences > Sharing and uncheck the 'DVD or CD Sharing' option. |
Medium |
DVD or CD Sharing is Enabled |
|
| Check Screen Sharing Is Disabled |
This check ensures that your Screen Sharing feature is disabled to prevent unauthorized access to your computer. |
CIS Benchmark |
To disable Screen Sharing, go to System Preferences > Sharing and uncheck the 'Screen Sharing' option. |
Medium |
Screen Sharing is Enabled |
|
| Check File Sharing Is Disabled |
File Sharing allows you to share files and resources with other users over a network. This check ensures that File Sharing is disabled to prevent unauthorized access to your files and resources. |
CIS Benchmark |
To disable File Sharing, go to 'System Preferences', click on 'Sharing', and uncheck the 'File Sharing' option. |
Medium |
File Sharing is Enabled |
|
| Check Printer Sharing Is Disabled |
Printer Sharing allows you to share printers with other users over a network. This check ensures that Printer Sharing is disabled to prevent unauthorized access to your printers. |
CIS Benchmark |
To disable Printer Sharing, go to 'System Preferences', click on 'Sharing', and uncheck the 'Printer Sharing' option. |
Medium |
Printer Sharing is Disabled |
|
| Check Remote Login Is Disabled |
Remote Login allows users to log in to your computer remotely via SSH. This check ensures that Remote Login is disabled to protect your computer from unauthorized access. |
CIS Benchmark |
To disable Remote Login, go to 'System Preferences', click on 'Sharing', and uncheck the 'Remote Login' option. |
Medium |
SSH is not enabled. |
|
| Check Remote Management(ARDagent) Is Disabled |
This check ensures that the Remote Management (ARDagent) feature is disabled to prevent unauthorized access to your computer. |
CIS Benchmark |
To disable Remote Management, go to System Preferences > Sharing and uncheck the 'Remote Management' option. |
Medium |
Remote Management is Disabled |
|
| Check Remote Apple Events Is Disabled |
Remote Apple Events allows other users to send AppleScript events to your computer. This check ensures that Remote Apple Events is disabled to protect your computer from unauthorized access. |
CIS Benchmark |
To disable Remote Apple Events, go to 'System Preferences', click on 'Sharing', and uncheck the 'Remote Apple Events' option. |
Medium |
Remote Apple Events is Enabled |
|
| Check Internet Sharing Is Disabled |
Internet Sharing allows your computer to share its internet connection with other devices. This check ensures that Internet Sharing is disabled to protect your computer from unauthorized access. |
CIS Benchmark |
To disable Internet Sharing, go to 'System Preferences', click on 'Sharing', and uncheck the 'Internet Sharing' option. |
Medium |
Error checking Internet Sharing status |
|
| Check Content Caching Is Disabled |
This check ensures that Content Caching is disabled to prevent your computer from being a server on untrusted networks, which could expose it to unauthorized access. |
CIS Benchmark |
To disable Content Caching, go to System Preferences > Sharing and uncheck the 'Content Caching' option. |
Medium |
Content Caching is Disabled |
|
| Check Media Sharing Is Disabled |
Media Sharing allows your computer to share media with other devices. This check ensures that Media Sharing is disabled to protect your computer from unauthorized access. |
CIS Benchmark |
To disable Media Sharing, go to 'System Preferences', click on 'Sharing', and uncheck the 'Media Sharing' option. |
Medium |
Media Sharing is Disabled |
|
| Check Bluetooth Sharing Is Disabled |
Check if Bluetooth Sharing is disabled |
CIS Benchmark |
Disable Bluetooth Sharing in System Preferences |
Medium |
Error checking Bluetooth Sharing status |
|
| Check that Time Machine is Enabled |
Check if Time Machine is enabled and has completed a backup |
CIS Benchmark |
Enable Time Machine in System Preferences and run a backup |
Medium |
Time Machine is Enabled and has completed a backup |
|
| Check Time Machine Volumes Are Encrypted If Time Machine Is Enabled |
Check if Time Machine volumes are encrypted when Time Machine is enabled |
CIS Benchmark |
Enable encryption for Time Machine volumes |
Medium |
Time Machine volumes are Not Encrypted |
|
| Check Show Wi-Fi status in Menu Bar Is Enabled |
This check ensures that the Wi-Fi status is shown in the menu bar, allowing you to quickly check the Wi-Fi status and connect to available networks. |
CIS Benchmark |
To enable 'Show Wi-Fi status in menu bar', go to System Preferences > Network and check the option. |
Low |
Show Wi-Fi status in menu bar is Disabled |
|
| Check Show Bluetooth Status in Menu Bar Is Enabled |
This check ensures that the Bluetooth menu bar icon is displayed, allowing you to quickly check the status of your Bluetooth devices and disconnect any devices that you're not using. |
CIS Benchmark |
To enable 'Show Bluetooth in menu bar', go to System Preferences > Bluetooth and check the option. |
Low |
Error checking Show Bluetooth Status in Menu Bar status |
|
| Check Location Services Is Enabled |
Location Services is essential for various applications on your system to function properly. This check ensures that Location Services is enabled on your system. |
Privacy |
To enable Location Services, go to System Preferences > Security & Privacy > Privacy and check the option. |
Low |
Location Services is Disabled |
|
| Check Location Services Is in the Menu Bar |
This check ensures that the Location Services icon is visible in the menu bar, providing users with awareness when Location Services is enabled. |
Privacy |
To enable Location Services in the menu bar, go to System Preferences > Security & Privacy > Privacy > Location Services and check the option. |
Low |
Location Services is not visible in the menu bar |
|
| Check Personalized Ads Status |
This check ensures that Personalized Ads are disabled on your system, which helps protect your privacy by preventing advertisers from displaying targeted ads based on your interests and usage. |
Privacy |
To disable Personalized Ads, enable Limit Ad Tracking in System Preferences > Security & Privacy > Privacy > Advertising. |
Low |
Personalized Ads are disabled |
|
| Check Screen Saver Corners Are Secure |
This check ensures that Screen Saver Corners are set to a secure option, preventing the screen saver from being easily deactivated and reducing potential security risks. |
CIS Benchmark |
To set Screen Saver Corners to a secure option, go to System Preferences > Desktop & Screen Saver > Screen Saver > Hot Corners and select secure options for each corner. |
Low |
Screen Saver Corners are not set to a secure option |
|
| Check Universal Control is Disabled |
This check ensures that Universal Control is disabled on your system, preventing unauthorized access to your computer and potentially sensitive data. |
CIS Benchmark |
To disable Universal Control, go to System Preferences > Displays > Advanced and uncheck the 'Universal Control' option. |
Low |
Unknown Universal Control status |
|
| Check Wake for Network Access is Disabled |
Checks if Wake for Network Access is disabled to prevent unauthorized access |
CIS Benchmark |
To disable Wake for Network Access, open Terminal and run the following command:
sudo pmset -a womp 0
This command disables Wake for Network Access for both battery and AC power. |
Low |
Wake for Network Access is enabled for at least one power mode |
|
| Check an Inactivity Interval of 20 Minutes or Less for the Screen Saver Is Enabled |
This checks if the computer screen saver activates within 20 minutes of inactivity. A shorter inactivity period helps protect your computer from unauthorized access. |
CIS Benchmark |
Set the screen saver inactivity interval to 20 minutes or less. |
Low |
Error parsing defaults output |
|
| Check a Password is Required to Wake the Computer from Sleep or Screen Saver |
Checks whether a password is required to wake the computer from sleep or screen saver |
CIS Benchmark |
Enable a password requirement to wake the computer from sleep or screen saver |
Low |
A password is NOT required to wake the computer from sleep or screen saver |
|
| Check Security Auditing Is Enabled |
This checks if security auditing is enabled on your computer. Security auditing helps detect unauthorized access and protect sensitive data. |
CIS Benchmark |
Enable security auditing. |
Low |
Error: Unable to parse the launchctl output. |
|