Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
OSX00005-1. Click on Finder icon 2. Click on Applications 3. Under Utilities, click on Terminal. 4. Enter command: diskutil info / 5. Ensure File System is Journaled HFS+
OSX00005-Manual option during image build process. Choose HFS+ formatted drive.
1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Verify there are no easy to guess administrator account names. If any accounts have easy to guess names, then this is a finding.
1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Rename or recreate accounts with difficult-to-guess names.
Open a terminal session and use the following command to view the setting for Maximum password age: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of maxMinutesUntilChangePassword is greater than 86400, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of maxMinutesUntilChangePassword is greater than 86400, then this is a finding.
Open a terminal session and use the following command to set the value for maximum password age: sudo pwpolicy -n -setglobalpolicy “maxMinutesUntilChangePassword=86400”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=86400".
Open a terminal session and use the following command to view the setting for Minimum password age: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword. If the value of minMinutesUntilChangePassword is less than 1440, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword. If the value of minMinutesUntilChangePassword is less than 1440, then this is a finding.
Open a terminal session and use the following command to set the value for minimum password age: sudo pwpolicy -n -setglobalpolicy “minMinutesUntilChangePassword=1440”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minMinutesUntilChangePassword=1440".
Open a terminal session and use the following command to view the setting for minimum password length: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minChars. If the value of minChars is less than 15, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minChars. If the value of minChars is less than 15, then this is a finding.
Open a terminal session and use the following command to set the value for minimum password length: sudo pwpolicy -n -setglobalpolicy “minChars=15”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minChars=15".
Open a terminal session and run the following commands: 1) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresAlpha 2) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresNumeric 3) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresMixedCase 4) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresSymbol. All values should equal 1. If not, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Add the path /Local/Default to the above commands, an example would be: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresAlpha .
Open a terminal session and run the following command: sudo pwpolicy -n - setglobalpolicy "requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1". For non managed systems the path /Local/Default would need to be added to the command, an example would be: pwpolicy -n /Local/Default - setglobalpolicy "requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1"
Open a terminal session and use the following command to view the setting for Password cannot be name: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName. If the value of passwordCannotBeName is not equal to 1, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName. If the value of passwordCannotBeName is not equal to 1, then this is a finding.
Open a terminal session and use the following command to set the value for Password cannot be name: sudo pwpolicy -n -setglobalpolicy “passwordCannotBeName=1”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "passwordCannotBeName=1".
Open a terminal session and use the following command to view the setting for Account lockout duration: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset. If the value of minutesUntilFailedLoginReset is greater than 0, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset. If the value of minutesUntilFailedLoginReset is greater than 0, then this is a finding.
Open a terminal session and use the following command to set the value for Account lockout duration: sudo pwpolicy -n -setglobalpolicy “minutesUntilFailedLoginReset=0”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minutesUntilFailedLoginReset=0".
Open a terminal session and use the following command to view the setting for Account lockout threshold: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttemps. If the value of maxFailedLoginAttemps is more than 3, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttemps. If the value of maxFailedLoginAttemps is more than 3, then this is a finding.
Open a terminal session and use the following command to set the value for Account lockout threshold: sudo pwpolicy -n -setglobalpolicy “maxFailedLoginAttemps=3”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttemps=3".
Open a terminal session and enter the following command: sudo softwareupdate --list or sudo softwareupdate --list --all Review the result for proper versions and current patch level. GUI procedures: 1. Choose Apple (?) > Software Update. 2. Select 'Scheduled Check & Installed Updates' 3. Verify all current software updates are installed. If the current software updates are not installed, then this is a finding. Note: This check does not show 3rd party software or updates.
Ensure all software is kept up-to-date with manufacturer's updates, especially security updates and patches. Note: Do not enable Automatic Updating as this will conflict with V-25298
1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: AppleAirPort.kext, AppleAirPort2.kext, and AppleAirPortFW.kext If any of the files exist, then this is a finding.
To remove support for WiFi at the kext file level: open a terminal session and use the following commands to remove the following files. sudo srm -rf /System/Library/Extensions/AppleAirPort.kext sudo srm -rf /System/Library/Extensions/AppleAirPort2.kext sudo srm -rf /System/Library/Extensions/AppleAirPortFW.kext GUI procedures: 1. Open the /System/Library/Extensions folder. 2. Drag the following files to the Trash: AppleAirPort.kext, AppleAirPort2.kext, AppleAirPortFW.kext 3. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions 4. Choose Finder > Secure Empty Trash to delete the file. 5. Restart the system.
1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: IOBluetoothFamily.kext and IOBluetoothHIDDriver.kext. If the files exist, then this is a finding.
Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/IOBluetoothFamily.kext sudo srm -rf /System/Library/Extensions/IOBluetoothHIDDriver.kext sudo touch /System/Library/Extensions
1. Open System Preferences -> Sound. 2. Select Internal microphone and ensure "Input Volume" is set to zero. 3. Select Line-In (if present) and ensure "Input Volume" is set to zero. 4. Select Display Audio and ensure "USB" is set to zero. If any of the parameters are not set to zero, then this is a finding.
Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/AppleOnboardAudio.kext sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext sudo srm -rf /System/Library/Extensions/AppleDeviceTreeUpdater.kext sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext sudo srm -rf /System/Library/Extensions/VirtualAudioDriver.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions folder. 2. To remove support for audio components such as the microphone, drag the following files to the Trash: AppleOnboardAudio.kext, AppleUSBAudio.kext, AudioDeviceTreeUpdater.kext, IOAudioFamily.kext, and VirtualAudioDriver.kext 3. Open Terminal and enter the following command: $ sudo touch System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X. 4. Choose Finder -> Secure Empty Trash to delete the file. 5. Restart the system.
1. Open the /System/Library/Extensions folder. 2. Ensure the following file does NOT exist:Apple_iSight.kext. 3. Control click the IOUSBFamily.kext and select Show Package Contents. 4. Open the /Contents/PlugIns/ folder. 5. Ensure the following file does NOT exist: AppleUSBVideoSupport.kext
Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/Apple_iSight.kext sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/Plugins/AppleUSBVideoSupport.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions folder. 2. To remove support for the external iSight camera, drag the following file to the Trash:Apple_iSight.kext. 3. To remove support for the built-in iSight camera, control click the IOUSBFamily.kext and select Show Package Contents. 4. Open the /Contents/PlugIns/ folder. 5. Drag the following file to the Trash: AppleUSBVideoSupport.kext 6. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X. 7. Choose Finder -> Secure Empty Trash to delete the file. 8. Restart the system.
1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following file does NOT exist: AppleIRController.kext If the file exists, then this is a finding.
Open a terminal session and enter the following commands to remove the file: srm -rf /System/Library/Extensions/AppleIRController.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions 2. Drag the following file to the Trash: AppleIRController.kext 3. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library) are deleted and rebuilt automatically by Mac OS X. 4. Choose Finder -> Secure Empty Trash to delete the file. 5. Restart the system.
1. Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/) 2 Verify the "Require password to change Open Firmware settings" is selected.
1. Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). 2. Click Change. 3. Select “Require password to change Open Firmware settings.” 4. In the Password and Verify fields, enter a new Open Firmware or EFI password, and click OK. This password can be up to eight characters. Do not use the capital letter “U” in an Open Firmware password. If you do, your password will not be recognized during the startup process. 5. Close the Firmware Password Utility.
Open a terminal session. The warning banner should be displayed in the terminal. If the following DoD warning banner is not displayed, then this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Note: Any OS versions that do not support the full text version must state the following: “I've read & consent to terms in IS user agreem't.” Note: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.
1. Open a terminal session 2. Verify the /etc/motd file exists. If not, use the touch command to create the file. 3. Edit the file and enter the appropriate DoD warning banner information. 4. Save the file. 5. Open a new terminal session and verify the banner is displayed.
1. Open a terminal session and use the following command to view the values: more /etc/sudoers 2. Ensure the following items exist: Defaults tty_tickets Defaults timestamp_timeout=0 If the values are not present, then this is a finding. Note: Admin privilege may be needed to perform some commands.
Open a terminal session and enter the following commands to set the values in the /etc/sudoers file: echo "Defaults tty_tickets" >> /etc/sudoers echo "Defaults timestamp_timeout=0" >> /etc/sudoers Note: Admin privilege may be needed to perform some commands.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, then this is a finding.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Connection tab and select "Encrypt using SSL"
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, then this is a finding.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Use authentication when connecting"
1. Open the Directory Utilities. 2. Click the Services tab. 3. Double-click on Active Directory. 4. Click on Show Advanced Options. 5. Click on Administrative tab and ensure "Allow administration by" is not selected. If "Allow administration by" is selected, then this is a finding.
1. Open the Directory Utilities. 2. Click the Services tab. 3. Double-click on Active Directory. 4. Click on Show Advanced Options. 5. Click on Administrative tab and deselect "Allow administration by" option.
To use the command line utility to check permissions: Open a Terminal session, access the home directory, and type ls -ls, and ensure home directory has permission set to 700. If permissions are not set to 700, then this is a finding.
To use the command line utility, open a terminal session and sudo chmod 700 for each users home directory.
1.Open a terminal session and edit the /etc/hostconfig file, by using the command (sudo pico /etc/hostconfig). 2. Verify the following line exists: AUDIT=-YES- If the value is not YES, then this is a finding. Cancel out of file without saving.
1.Open a terminal session and edit the /etc/hostconfig file, by using the command (sudo pico /etc/hostconfig). 2. Add the following line to the file: AUDIT=-YES- 3. Save the file. 4. Restart the machine.
1. Install the Common Criteria Tools for OS X 10.5. 2. Open the /etc/security/audit_control file. 3. Find the line that begins with "flags". 4. Ensure that line includes the following: flags: lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. If the file does not contain appropriate flags, then this is a finding.
1. Install the Common Criteria Tools for OS X 10.5. 2. Open a terminal session and edit the /etc/security/audit_control file. 3. Find the line that begins with "flags". 4. Replace that line with the following: flags:lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. 5. Save the file
1. Open a terminal session and enter the command: more /etc/newsyslog.conf 2. If the count values are not set to 14, then this is a finding.
Open a terminal session and enter the command: sudo pico /etc/newsyslog.conf and set all count values to 14.
1 Open a terminal session and enter the command: more /etc/syslog.conf 2. Ensure the name or IP address of the site's log server is listed 'your.log.server'. If the name or IP address of the log server is not listed, then this is a finding.
1. Open a terminal session and enter the command: sudo pico /etc/syslog.conf 2. Add the following line to the top of the file, replacing your.log.server with the name or IP address of the log server, and keeping all other lines intact: *.* @your.log.server 3. Exit, saving changes. 4. Reboot the system.
Verify an approved anti-virus tool is installed on the system.
Install an approved anti-virus tool on the system.
1. Open a terminal session and enter the command: more /etc/sshd_config 2. Ensure the value PermitRootLogin is set to No. If the value PermitRootLogin is not set to No, then this is a finding.
1. Open a terminal session and enter the command: sudo pico /etc/sshd_config 2. Edit the value PermitRootLogin and set it to No. 3. Save the file
1. Open a terminal session and enter the following command: more /etc/sshd_config 2. Ensure the value LoginGraceTime is set to 30 or less. If the value LoginGraceTime is not set to 30 or less, then this is a finding.
1. Open a terminal session and enter the following command: sudo pico /etc/sshd_config 2. Edit the value: LoginGraceTime to 30. 3. Save the file.
1. Open a terminal session and enter the command: more /etc/sshd_config 2. Ensure the value Protocol is set to 2. If the value Protocol is not set to 2, then this is a finding.
1. Open a terminal session and enter the following command: sudo pico /etc/sshd_config 2. Edit the value: Protocol to 2. 3.Save the file.
1. Open a terminal session and enter the command: more /etc/sshd_config 2. Ensure the value PermitEmptyPasswords is set to No. If the value is not set to No, then this is a finding.
1. Open a terminal session and enter the following command: sudo pico /etc/sshd_config 2. Change the value:PermitEmptyPasswords to No. 3. Save the file
1. Open a terminal session and enter the following command: launchctl umask. 2. Ensure the permission is set to 27. If the permission is not set to 27, then this is a finding.
1. Open a terminal session and enter the following command: sudo echo "umask 027" >> /etc/launchd.conf
1. Open System Preferences > MobileMe. 2. On the Sync pane, ensure "Synchronization with MobileMe" is not checked and all other options are disabled. If not, then this is a finding. Command Procedures: 1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: Mac.prefPane and Internet.prefPane. If any of the files exist, then this is a finding.
1. Open System Preferences-> MobileMe. 2. On the Sync pane, uncheck "Synchronization with MobileMe" and disable all other options. Command Procedures: Open a terminal session and enter the following commands to remove the file: sudo rm -R /System/Library/PreferencePanes/Mac.prefPane sudo rm -R /System/Library/PreferencePanes/Internet.prefPane sudo touch /System/Library/Extensions
Open a terminal session and enter the following command: defaults read com.apple.SoftwareUpdate CatalogURL The value returned is the current Software Update Server. Verify it is an approved SUS. If no value is returned, the system is using a default Apple Update Server and this would be a finding.
Open a terminal session and enter one of the following commands: defaults write com.apple.SoftwareUpdate CatalogURL 'new_SUS_URL' (where 'new_SUS_URL' is the URL or the address of the appropriate government SUS to be used).
1. Open a terminal session and enter the following command: more /etc/authorization 2. Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, then this is a finding.
1. Open a terminal session and edit the following file: /etc/authorization 2. Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. 3. Save the file.
1. Open a terminal session and enter the following command: ls - ls /Applications/SystemPreferences.app/Contents/Resources/installAssistant 2. Ensure the file permissions are set to -rwxrwxr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 775 /Applications/System Preferences.app/Contents/Resources/installAssistant.
1. Open a terminal session and enter the following command: ls -ls /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 755 /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool
1. Open a terminal session and enter the following command: ls -ls /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
1. Open a terminal session and enter the following command: ls -ls /System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 755 /System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav
1. Open a terminal session and enter the following command: ls -ls /System/Library/Filesystems/AppleShare/afpLoad 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 755 /System/Library/Filesystems/AppleShare/afpLoad
1. Open a terminal session and enter the following command: ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2. Ensure the file permissions are set to -rwx--x--x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 711 /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
1. Open a terminal session and enter the following command: ls -ls /usr/libexec/dumpemacs 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/libexec/dumpemacs
1. Open a terminal session and enter the following command: ls -ls /usr/libexec/xgrid/IdleTool 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/libexec/xgrid/IdleTool
1. Open a terminal session and enter the following command: ls -ls /usr/sbin/vpnd 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/sbin/vpnd
1. Open a terminal session and enter the following command: ls -ls /sbin/route 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /sbin/route
1. Open a terminal session and enter the following command: ls -ls /usr/bin/ipcs 2. Ensure the file permissions are set to -r-x--x--x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 511 /usr/bin/ipcs
1. Open a terminal session and enter the following command: ls -ls /bin/rcp 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /bin/rcp
1. Open a terminal session and enter the following command: ls -ls /usr/bin/rlogin 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/bin/rlogin
1. Open a terminal session and enter the following command: ls -ls /usr/bin/rsh 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/bin/rsh
1. Open a terminal session and enter the following command: ls -ls /usr/lib/sa/sadc 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.
1. Open a terminal session and enter the following command: chmod 555 /usr/lib/sa/sadc
1. Open System Preferences->Date&Time Panel. 2. Ensure the correct date and time is set. If the date and time are not correct, then this is a finding.
1. Open System Preferences->Date&Time Panel. 2. Set the correct date and time.
1. Open System Preferences->Date&Time Panel. 2. Ensure "Set date & time automatically" is selected. 3. In the box for the time server, ensure either the URL or the address of a valid federal government NTP server or the URL or address of a local domain controller is entered.
1. Open System Preferences> Date&Time Panel. 2. Select "Set date & time automatically". 3. In the box for the time server, type either the URL or IP address of a valid federal government NTP server or local domain controller.
1. Open System Preferences->Software Updates. 2. Click the Scheduled Check pane. 3. Ensure the “Check for updates" and “Download important updates automatically” options are unchecked. If the options are checked, then this is a finding. Command Procedures: 1. Open a terminal session and enter the following command: softwareupdate --schedule 2. Verify 'Automatic check' is off. If the option is not off, then this is a finding.
1. Open System Preferences->Software Updates. 2. Click the Scheduled Check pane. 3. Deselect “Check for updates" and “Download important updates automatically”. Command Procedues: Open a terminal session and enter the following command to disable auto update feature: softwareupdate --schedule off
1. Open System Preferences->Accounts Panel. 2. Click on Guest Account 3. Ensure "Allow guests to login to this computer" option is unchecked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Click on Guest Account 3. Deselect "Allow guests to login to this computer".
1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow Guests to connect to shared folders" option is unchecked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow Guests to connect to shared folders".
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure "Display login window as:" is set to "Name & password". If the option is not set to "Name & Password", then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Set "Display login window as:" to 'Name & password'.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure the "Show the Restart, Sleep, and Shutdown buttons" option is not checked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect the "Show the Restart, Sleep, and Shutdown buttons" to disable this option.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure the "Show input menu in login window" is not checked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Show input menu in login window" to disable this option.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure the "Show password hints" is not checked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Show password hints" to disable this option.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure the "Enable Fast User Switching" is not checked. If the option is checked, then this is a finding.
1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Enable Fast User Switching" to disable this option.
1. Open System Preferences->Accounts Panel, for each account. 2. Click 'reset password' (Change Password for current user). 3. Ensure no data exists in the password hints field. 4. Click Cancel. If any accounts have hints data, then this is a finding. Note: The password Hints Field may include contact information for the organization's technical support.
1. Open System Preferences -> Accounts Panel, for each account. 2. Click 'reset password' (Change Password for current user). 3. Remove any data that exists in the password hints field. Note: The password Hints Field may include contact information for the organization's technical support.
1. Open System Preferences - > CDs and DVDs. 2. Ensure "When you insert a blank CD:" is set to 'Ignore'. If the option is not set to "Ignore", then this is a finding.
1. Open System Preferences - > CDs and DVDs. 2. Set "When you insert a blank CD:" to 'Ignore'.
1. Open System Preferences - > CDs and DVDs. 2. Ensure "When you insert a music CD:" is set to 'Ignore'. If the option is not set to "Ignore", then this is a finding.
1. Open System Preferences - > CDs and DVDs. 2. Set "When you insert a music CD:" to 'Ignore'.
1. Open System Preferences - > CDs and DVDs. 2. Ensure "When you insert a picture CD:" is set to 'Ignore'. If the option is not set to "Ignore", then this is a finding.
1. Open System Preferences - > CDs and DVDs. 2. Set "When you insert a picture CD:" to 'Ignore'.
1. Open System Preferences - > CDs and DVDs. 2. Ensure "When you insert a video DVD:" is set to 'Ignore'. If the option is not set to "Ignore", then this is a finding.
1. Open System Preferences - > CDs and DVDs. 2. Set "When you insert a video DVD:" to 'Ignore'.
Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Ensure the "Start screen saver" slider is set to 15 minutes or less. If not, then this is a finding.
Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Set the 'Start screen saver" slider to 15 minutes or less.
1. Open System Preferences - > Energy Saver - > Options Pane. 2. Ensure "Restart automatically after a power failure" is not checked. If the option is checked, then this is a finding. Note: For some Mac Books systems the "Restart automatically after a power failure" option is located on the "Power Adapter" pane.
1. Open System Preferences - > Energy Saver - > Options Pane. 2. Deselect "Restart automatically after a power failure" to disable this option. Note: For some Mac Books systems the "Restart automatically after a power failure" option is located on the "Power Adapter" pane.
1. Open System Preferences->Exposé & Spaces, Exposé pane. 2. Ensure no corners are set to "Disable Screen saver" in the 'Active Screen Corners' section for each user account. If any account is set to disable screen savers via corners, then this is a finding.
1. Open System Preferences->Exposé & Spaces, Exposé pane. 2. Remove any corners which are set to "Disable Screen saver" in the 'Active Screen Corners' section for each user account.
1. Open System Preferences -> Open Keyboard & Mouse preferences. 2. Click Bluetooth tab. 3. Ensure “Allow Bluetooth devices to wake this computer” is not checked. If the option is checked, then this is a finding.
1. Open System Preferences -> Keyboard & Mouse preferences. 2. Click Bluetooth tab. 3. Deselect “Allow Bluetooth devices to wake this computer”.
1. Open System Preferences - > Network. 2. From the list of hardware devices, select AirPort. 3. Ensure the 'Status' is set to 'Inactive'. If the service is not inactive or removed, then this is a finding.
1. Open System Preferences - > Network. 2. From the list of hardware devices, select AirPort. 3. Set this service to 'Inactive' by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)
1. Open System Preferences - > Network. 2. From the list of hardware devices, select Bluetooth. 3. Ensure the "Status" is set to 'Inactive'. If the service is not inactive or removed, then this is a finding.
1. Open System Preferences - > Network. 2. From the list of hardware devices, select Bluetooth. 3. Set this service to Inactive by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)
1. Open System Preferences - > Network. 2. From the list of hardware devices, select Firewire. 3. Ensure the "Status" is set to 'Inactive'. If the service is not set to inactive or removed, then this is a finding.
1. Open System Preferences - > Network. 2. From the list of hardware devices, select Firewire. 3. Set this service to 'Inactive' by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)
1. Open System Preferences - > Network. 2. Click Advanced. 3. Click the TCP/IP tab 4. Ensure "Configure IPv6" is set to 'Off'. If option is not set to 'Off', then this is a finding. Note: this must be checked on all network interfaces.
1. Open System Preferences - > Network. 2. Click Advanced 3. CLick the TCP/IP tab and set "Configure IPv6" to 'Off', if not actively being used. Note: this must be disabled on each network interface.
1. Open System Preferences->QuickTime, Browser Pane. 2. Ensure "Play Movies Automatically" is not checked. If the option is checked, then this is a finding.
1. Open System Preferences->QuickTime, Browser Pane. 2. Deselect "Play Movies Automatically".
1. Open System Preferences->QuickTime, Browser Pane. 2. Ensure "Save Movies in disk cache" is not checked. If option is checked, then this is a finding.
1. Open System Preferences->QuickTime, Browser Pane. 2. Deselect "Save Movies in disk cache".
1. Open System Preferences->QuickTime. 2. Click Advanced tab. 3. Ensure "Enable Kiosk Mode" is selected. If setting is not checked, then this is a finding.
1. Open System Preferences->QuickTime, Advanced Pane. 2. Select "Enable Kiosk Mode".
1. Open System Preferences->Security. 2 Select General tab. 3. Ensure "Require password to wake this computer from sleep or screen saver" is checked. If option is not checked, then this is a finding.
1. Open System Preferences->Security. 2 Select General tab. 3. Select "Require password to wake this computer from sleep or screen saver".
1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Disable automatic login" option is checked. If option is not checked, then this is a finding.
1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable automatic login".
1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Require password to unlock each System Preferences Pane" is checked. If option is not checked, then this is a finding.
1. Open System Preferences->Security. 2. Select General tab. 3. Select "Require password to unlock each System Preferences Pane".
1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Log out after x minutes of inactivity" is not checked. If it is checked, then this is afinding.
1. Open System Preferences->Security. 2. Select General tab. 3. Deselect "Log out after x minutes of inactivity".
1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Use Secure Virtual Memory" is checked. If option is not checked, then this is a finding.
1. Open System Preferences->Security. 2. Select General tab. 3. Select "Use Secure Virtual Memory".
1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Disable remote control infrared receiver" is checked. If the option is not checked, then this is a finding.
1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable remote control infrared receiver".
If IR Receiver is disabled, then mark this check N/A. See V25333/OSX00445. If IR is enabled, then ensure it is paired to this computer by performing the following: 1. Open System Preferences->Security Pane. 2. Select General tab. 3. Ensure IR Remote Control is paired to this system.
1. Open System Preferences->Security Pane. 2. Select General tab. 3. Click "Pair" to pair IR Remote Control to this system.
1. Open System Preferences->Security. 2. Select Firewall tab. 3. Ensure "Set access for specific services and applications" is selected and only essential Services and Applications are listed in the 'Allow incoming connections' section. If not, then this is a finding. .
1. Open System Preferences->Security. 2. Select Firewall tab. 3. Select Set access for specific services and applications 4. Add only essential services and applications for incoming connections and remove unneeded services and applications.
1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Ensure "Enable Firewall logging" is checked. If option is not checked, then this is a finding. Note: If the Mac OS X firewall has not been configured this setting will be unavailable.
1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Select "Enable Firewall logging".
This check applies to mobile platforms only. 1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Ensure "Enable Stealth mode" is checked. If the option is not checked, then this is a finding.
1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Select "Enable Stealth mode".
1. Open System Preferences->Sharing. 2. Ensure "DVD or CD Sharing" service does not have the 'On' box checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the 'On' box for "DVD or CD Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure "Screen Sharing" service does not have the 'On' box checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the 'On' box for "Screen Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "File Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "File Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Printer Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Printer Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Web Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Web Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Login" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Login" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Management" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Management" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Apple Events" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Apple Events" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Xgrid Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Xgrid Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Internet Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Internet Sharing" service.
1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Bluetooth Sharing" service is not checked. If the box is checked, then this is a finding.
1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Bluetooth Sharing" service.
1. Choose Mail > Preferences, and then click Accounts. 2. Select an account, and then click Advanced. 3. Ensure "Use SSL" is selected. 4. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). 5. Click Account Information. 6. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. 7. From the server list, select your outgoing mail server, and then click Advanced. 8. Ensure Secure Socket Layer (SSL) is selected. 9. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, or Kerberos Version 5 (GSSAPI)). Note: if you are not using the Mac Mail Application is check does not apply.
1. Choose Mail > Preferences, and then click Accounts. 2. Select an account, and then click Advanced. 3. Select "Use SSL". 4. From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). 5. Click Account Information. 6. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. 7. From the server list, select your outgoing mail server and then click Advanced. 8. Select "Secure Socket Layer (SSL)". 9. From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, or Kerberos Version 5 (GSSAPI)). 10. Close the preferences window, and then click Save in the message that appears.
Open Finder, Select Applications, Double click the iTunes application, On the top menu bar click iTunes and from the drop down menu select Preferences, Click on the Parental icon, Verify the Disable iTunes Store is checked, if not then this is a finding
Open Finder, Select Applications, Double click the iTunes application, On the top menu bar click iTunes and from the drop down menu select Preferences, Click on the Parental icon, Click on the Disable iTunes Store option. Note: This must be performed for each user.
1. Open Finder-> Preferences -> Advanced. 2. Ensure "Empty Trash Securely" is checked. If the option is not checked, then this is a finding. This must be done for each user on the system.
1. Open Finder-> Preferences -> Advanced. 2. Select "Empty Trash Securely". This must be done for each user on the system.
1 Open Finder > Preferences > Sidebar. 2. Ensure the iDisk icon is not selected. If the option is selected, then this is a finding. This must be done for each user on the system.
1 Open Finder -> Preferences -> Sidebar. 2. De-select the iDisk icon. This must be done for each user on the system.
Verify with the SA that the site has a password policy. If the site does not have a password policy, then this is a finding.
The site must create a password policy that meets the requirements of the DoD information system.
Open Finder Click Applications Click Utility Double click Directory Utility Click the Lock and enter the password to unlock the options Click the Edit tab (Directory Utility bar on top) and verify the "Disable Root User" option appears. If the "Enable Root User" option is visible, then this is a finding.
Open Finder Click Applications Click Utility Double click Directory Utility Click the Lock and enter the password to unlock the options Click the Edit tab (Directory Utility bar on top) Click Disable Root User
Interview the SA to determine if equipment is located in an controlled access area.
Relocate equipment to a controlled access area.
Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account (which provides no individual identification and accountability) is mitigated. Note: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if that machine is stand-alone and has no access to the network.
Remove any shared accounts that do not meet the exception requirements listed.
1. Open a terminal session and enter one of the following commands: sudo softwareupdate --list or sudo softwareupdate --list --all. 2. Review the results and verify the current approved software patches are applied.
Install the current OS updates and patches.
Interview the SA to determine if system recovery backup procedures are in place that comply with DoD requirements. Any of the following would be a finding: •The site does not maintain emergency system recovery data. •The emergency system recovery data is not protected from destruction and stored in a locked storage container. •The emergency system recovery data has not been updated following the last system modification.
Implement data backup procedures that comply with DoD requirements.
Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location.
Create and maintain an emergency admininstrator account for emergency situations.
Interview the SA or IAM to determine if the site has a policy that requires the default and backup admin passwords to be changed at least annually or when any member of the administrative team leaves the organization.
Define a policy for required password changes for the default and backup admin account.
The site should have a local policy to ensure that passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.
Create application/service account passwords that are at least 15 characters in length and meet complexity requirements. Change application/service account passwords that are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.
1. Open System Preferences. 2. Click the Security Icon 3. Click the General Tab 3. Ensure "Activate screen saver when login token is removed" option is selected. If the option is not selected, then this is a finding. Note: if you are not using a smart card application this check does not apply.
1. Open System Preferences. 2. Click the Security Icon 3. Click the General Tab 4. Select "Activate screen saver when login token is removed".
The following files are used in the auditing process and access to these files should be restricted to an auditor’s group. If the file permissions are not at least as restrictive as listed below then this is a finding. Open a terminal session and verify the following permissions: /usr/sbin/auditd 555 /usr/sbin/audit 555 /usr/sbin/auditreduce 744 /etc/security/rc.audit 400 /etc/security/audit_control 400 /etc/security/audit_class 444 /etc/security/audit_event 444 /etc/security/audit_user 400 /etc/security/audit_warn 555
Open a terminal session and set the following file permissions: /usr/sbin/auditd 555 /usr/sbin/audit 555 /usr/sbin/auditreduce 744 /etc/security/rc.audit 400 /etc/security/audit_control 400 /etc/security/audit_class 444 /etc/security/audit_event 444 /etc/security/audit_user 400 /etc/security/audit_warn 555
To securely configure Spotlight preferences: 1. Open System Preferences 2. Click the Spotlight Icon. 3. In the Search Results pane, verify the categories you don’t want searchable by Spotlight are unchecked. 4. Click the Privacy pane. 5. Verify the correct folders and disks are in the Privacy pane; these are not searchable by Spotlight.
To securely configure Spotlight preferences: 1. Open System Perferences 2. Click the Spotlight Icon. 2. In the Search Results pane, deselect categories you don’t want searchable by Spotlight. 3. Click the Privacy pane. 4. Click the Add button or drag a folder or disk into the Privacy pane. 5. Folders and disks in the Privacy pane are now not searchable by Spotlight.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Disable clear text passwords" is checked. If the value is not checked, then this is a finding.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Security tab and select "Disable clear text passwords"
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Digitally sign all packets (requires Kerberos)" is checked. If the value is not checked, then this is a finding.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Digitally sign all packets (requires Kerberos)"
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Encrypt all packets (requires SSL or Kerberos)" is checked. If the value is not checked, then this is a finding.
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Encrypt all packets (requires SSL or Kerberos)"
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Block man-in-the-middle attacks (requires Kerberos)" is checked. If the value is not checked, then this is a finding
Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Security tab and select "Block man-in-the-middle attacks (requires Kerberos)"
1. Open System Preferences - > CDs and DVDs. 2. Ensure "When you insert a blank DVD:" is set to 'Ignore'. If the option is not set to "Ignore", then this is a finding.
1. Open System Preferences - > CDs and DVDs. 2. Set "When you insert a blank DVD:" to 'Ignore'.
This command should indicate any files having an incorrect owner or permissions less restrictive than what the original permissions were set to. If the results indicate the owner or permissions changed, this is a finding.
Run the command: sudo diskutil repairPermissions / Note: If permissions were made more restrictive than the package manager expects (as later rules require), then these tightened permissions will need to be reapplied after running this command.
Run the command: sudo launchctl list If a line for com.apple.mDNSResponder appears, then this is a finding. Note: This command must NOT be run on Mac OS X 10.6, as it will disable all DNS resolution.
Run the command: sudo launchctl -w unload com.apple.mDNSResponder to disable Bonjour.
Verify unnecessary packages are not installed. Open a terminal session and enter the following command: pkgutil / --pkgs Review the packages that are installed, determine if the installed packages are needed. If not, then this is a finding.
Review the packages that are installed using the following command: pkgutil / --pkgs Determine if the installed packages are needed. If not, verify any dependencies and use the rm command to remove them.