MAC OSX 10.5 Security Technical Implementation Guide

Checks: C-31666r1_chk

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Verify there are no easy to guess administrator account names. If any accounts have easy to guess names, then this is a finding.

Fix: F-28147r1_fix

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Rename or recreate accounts with difficult-to-guess names.

Checks: C-31667r1_chk

Open a terminal session and use the following command to view the setting for Maximum password age: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of maxMinutesUntilChangePassword is greater than 86400, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of maxMinutesUntilChangePassword is greater than 86400, then this is a finding.

Fix: F-28150r1_fix

Open a terminal session and use the following command to set the value for maximum password age: sudo pwpolicy -n -setglobalpolicy “maxMinutesUntilChangePassword=86400”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=86400".

Checks: C-31673r1_chk

Open a terminal session and use the following command to view the setting for Minimum password age: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword. If the value of minMinutesUntilChangePassword is less than 1440, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword. If the value of minMinutesUntilChangePassword is less than 1440, then this is a finding.

Fix: F-28156r1_fix

Open a terminal session and use the following command to set the value for minimum password age: sudo pwpolicy -n -setglobalpolicy “minMinutesUntilChangePassword=1440”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minMinutesUntilChangePassword=1440".

Checks: C-31676r1_chk

Open a terminal session and use the following command to view the setting for minimum password length: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minChars. If the value of minChars is less than 15, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minChars. If the value of minChars is less than 15, then this is a finding.

Fix: F-28160r1_fix

Open a terminal session and use the following command to set the value for minimum password length: sudo pwpolicy -n -setglobalpolicy “minChars=15”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minChars=15".

Checks: C-31678r1_chk

Open a terminal session and run the following commands: 1) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresAlpha 2) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresNumeric 3) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresMixedCase 4) pwpolicy –n -getglobalpolicy | tr " " "\n" | grep requiresSymbol. All values should equal 1. If not, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Add the path /Local/Default to the above commands, an example would be: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresAlpha .

Fix: F-28165r1_fix

Open a terminal session and run the following command: sudo pwpolicy -n - setglobalpolicy "requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1". For non managed systems the path /Local/Default would need to be added to the command, an example would be: pwpolicy -n /Local/Default - setglobalpolicy "requiresAlpha=1 requiresNumeric=1 requiresMixedCase=1 requiresSymbol=1"

Checks: C-31679r1_chk

Open a terminal session and use the following command to view the setting for Password cannot be name: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName. If the value of passwordCannotBeName is not equal to 1, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName. If the value of passwordCannotBeName is not equal to 1, then this is a finding.

Fix: F-28166r1_fix

Open a terminal session and use the following command to set the value for Password cannot be name: sudo pwpolicy -n -setglobalpolicy “passwordCannotBeName=1”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "passwordCannotBeName=1".

Checks: C-31680r1_chk

Open a terminal session and use the following command to view the setting for Account lockout duration: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset. If the value of minutesUntilFailedLoginReset is greater than 0, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset. If the value of minutesUntilFailedLoginReset is greater than 0, then this is a finding.

Fix: F-28167r1_fix

Open a terminal session and use the following command to set the value for Account lockout duration: sudo pwpolicy -n -setglobalpolicy “minutesUntilFailedLoginReset=0”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "minutesUntilFailedLoginReset=0".

Checks: C-31681r1_chk

Open a terminal session and use the following command to view the setting for Account lockout threshold: sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttemps. If the value of maxFailedLoginAttemps is more than 3, then this is a finding. Note: If the command returns a response of: password server is not configured, the system is not managed. Use the following command for non-managed systems: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttemps. If the value of maxFailedLoginAttemps is more than 3, then this is a finding.

Fix: F-28168r1_fix

Open a terminal session and use the following command to set the value for Account lockout threshold: sudo pwpolicy -n -setglobalpolicy “maxFailedLoginAttemps=3”. Note: For non-managed system, use the command: pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttemps=3".

Checks: C-31683r1_chk

Open a terminal session and enter the following command: sudo softwareupdate --list or sudo softwareupdate --list --all Review the result for proper versions and current patch level. GUI procedures: 1. Choose Apple (?) > Software Update. 2. Select 'Scheduled Check & Installed Updates' 3. Verify all current software updates are installed. If the current software updates are not installed, then this is a finding. Note: This check does not show 3rd party software or updates.

Fix: F-28170r1_fix

Ensure all software is kept up-to-date with manufacturer's updates, especially security updates and patches. Note: Do not enable Automatic Updating as this will conflict with V-25298

Checks: C-31684r1_chk

1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: AppleAirPort.kext, AppleAirPort2.kext, and AppleAirPortFW.kext If any of the files exist, then this is a finding.

Fix: F-28171r1_fix

To remove support for WiFi at the kext file level: open a terminal session and use the following commands to remove the following files. sudo srm -rf /System/Library/Extensions/AppleAirPort.kext sudo srm -rf /System/Library/Extensions/AppleAirPort2.kext sudo srm -rf /System/Library/Extensions/AppleAirPortFW.kext GUI procedures: 1. Open the /System/Library/Extensions folder. 2. Drag the following files to the Trash: AppleAirPort.kext, AppleAirPort2.kext, AppleAirPortFW.kext 3. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions 4. Choose Finder > Secure Empty Trash to delete the file. 5. Restart the system.

Checks: C-31685r1_chk

1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: IOBluetoothFamily.kext and IOBluetoothHIDDriver.kext. If the files exist, then this is a finding.

Fix: F-28172r1_fix

Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/IOBluetoothFamily.kext sudo srm -rf /System/Library/Extensions/IOBluetoothHIDDriver.kext sudo touch /System/Library/Extensions

Checks: C-31686r1_chk

1. Open System Preferences -> Sound. 2. Select Internal microphone and ensure "Input Volume" is set to zero. 3. Select Line-In (if present) and ensure "Input Volume" is set to zero. 4. Select Display Audio and ensure "USB" is set to zero. If any of the parameters are not set to zero, then this is a finding.

Fix: F-28173r1_fix

Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/AppleOnboardAudio.kext sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext sudo srm -rf /System/Library/Extensions/AppleDeviceTreeUpdater.kext sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext sudo srm -rf /System/Library/Extensions/VirtualAudioDriver.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions folder. 2. To remove support for audio components such as the microphone, drag the following files to the Trash: AppleOnboardAudio.kext, AppleUSBAudio.kext, AudioDeviceTreeUpdater.kext, IOAudioFamily.kext, and VirtualAudioDriver.kext 3. Open Terminal and enter the following command: $ sudo touch System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X. 4. Choose Finder -> Secure Empty Trash to delete the file. 5. Restart the system.

Checks: C-31687r1_chk

1. Open the /System/Library/Extensions folder. 2. Ensure the following file does NOT exist:Apple_iSight.kext. 3. Control click the IOUSBFamily.kext and select Show Package Contents. 4. Open the /Contents/PlugIns/ folder. 5. Ensure the following file does NOT exist: AppleUSBVideoSupport.kext

Fix: F-28174r1_fix

Open a terminal session and enter the following commands to remove the files: sudo srm -rf /System/Library/Extensions/Apple_iSight.kext sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/Plugins/AppleUSBVideoSupport.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions folder. 2. To remove support for the external iSight camera, drag the following file to the Trash:Apple_iSight.kext. 3. To remove support for the built-in iSight camera, control click the IOUSBFamily.kext and select Show Package Contents. 4. Open the /Contents/PlugIns/ folder. 5. Drag the following file to the Trash: AppleUSBVideoSupport.kext 6. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X. 7. Choose Finder -> Secure Empty Trash to delete the file. 8. Restart the system.

Checks: C-31690r1_chk

1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following file does NOT exist: AppleIRController.kext If the file exists, then this is a finding.

Fix: F-28177r1_fix

Open a terminal session and enter the following commands to remove the file: srm -rf /System/Library/Extensions/AppleIRController.kext sudo touch /System/Library/Extensions GUI Procedures: 1. Open the /System/Library/Extensions 2. Drag the following file to the Trash: AppleIRController.kext 3. Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library) are deleted and rebuilt automatically by Mac OS X. 4. Choose Finder -> Secure Empty Trash to delete the file. 5. Restart the system.

Checks:

Fix:

Checks: C-31692r1_chk

Open a terminal session. The warning banner should be displayed in the terminal. If the following DoD warning banner is not displayed, then this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Note: Any OS versions that do not support the full text version must state the following: “I've read & consent to terms in IS user agreem't.” Note: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

Fix: F-28179r1_fix

1. Open a terminal session 2. Verify the /etc/motd file exists. If not, use the touch command to create the file. 3. Edit the file and enter the appropriate DoD warning banner information. 4. Save the file. 5. Open a new terminal session and verify the banner is displayed.

Checks: C-31694r1_chk

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, then this is a finding.

Fix: F-28181r1_fix

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Connection tab and select "Encrypt using SSL"

Checks: C-31695r1_chk

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, then this is a finding.

Fix: F-28182r1_fix

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Use authentication when connecting"

Checks: C-31698r1_chk

To use the command line utility to check permissions: Open a Terminal session, access the home directory, and type ls -ls, and ensure home directory has permission set to 700. If permissions are not set to 700, then this is a finding.

Fix: F-28185r1_fix

To use the command line utility, open a terminal session and sudo chmod 700 for each users home directory.

Checks: C-31699r1_chk

1.Open a terminal session and edit the /etc/hostconfig file, by using the command (sudo pico /etc/hostconfig). 2. Verify the following line exists: AUDIT=-YES- If the value is not YES, then this is a finding. Cancel out of file without saving.

Fix: F-28186r1_fix

1.Open a terminal session and edit the /etc/hostconfig file, by using the command (sudo pico /etc/hostconfig). 2. Add the following line to the file: AUDIT=-YES- 3. Save the file. 4. Restart the machine.

Checks: C-31700r2_chk

1. Install the Common Criteria Tools for OS X 10.5. 2. Open the /etc/security/audit_control file. 3. Find the line that begins with "flags". 4. Ensure that line includes the following: flags: lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. If the file does not contain appropriate flags, then this is a finding.

Fix: F-28187r2_fix

1. Install the Common Criteria Tools for OS X 10.5. 2. Open a terminal session and edit the /etc/security/audit_control file. 3. Find the line that begins with "flags". 4. Replace that line with the following: flags:lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. 5. Save the file

Checks: C-31702r1_chk

1. Open a terminal session and enter the command: more /etc/newsyslog.conf 2. If the count values are not set to 14, then this is a finding.

Fix: F-28188r1_fix

Open a terminal session and enter the command: sudo pico /etc/newsyslog.conf and set all count values to 14.

Checks: C-31703r1_chk

1 Open a terminal session and enter the command: more /etc/syslog.conf 2. Ensure the name or IP address of the site's log server is listed 'your.log.server'. If the name or IP address of the log server is not listed, then this is a finding.

Fix: F-28189r1_fix

1. Open a terminal session and enter the command: sudo pico /etc/syslog.conf 2. Add the following line to the top of the file, replacing your.log.server with the name or IP address of the log server, and keeping all other lines intact: *.* @your.log.server 3. Exit, saving changes. 4. Reboot the system.

Checks: C-31705r1_chk

1. Open a terminal session and enter the command: more /etc/sshd_config 2. Ensure the value PermitRootLogin is set to No. If the value PermitRootLogin is not set to No, then this is a finding.

Fix: F-28191r1_fix

1. Open a terminal session and enter the command: sudo pico /etc/sshd_config 2. Edit the value PermitRootLogin and set it to No. 3. Save the file

Checks: C-31707r1_chk

1. Open a terminal session and enter the command: more /etc/sshd_config 2. Ensure the value Protocol is set to 2. If the value Protocol is not set to 2, then this is a finding.

Fix: F-28193r1_fix

1. Open a terminal session and enter the following command: sudo pico /etc/sshd_config 2. Edit the value: Protocol to 2. 3.Save the file.

Checks: C-31709r1_chk

1. Open a terminal session and enter the following command: launchctl umask. 2. Ensure the permission is set to 27. If the permission is not set to 27, then this is a finding.

Fix: F-28195r1_fix

1. Open a terminal session and enter the following command: sudo echo "umask 027" >> /etc/launchd.conf

Checks: C-31710r1_chk

1. Open System Preferences > MobileMe. 2. On the Sync pane, ensure "Synchronization with MobileMe" is not checked and all other options are disabled. If not, then this is a finding. Command Procedures: 1. Open a terminal session. 2. View the /System/Library/Extensions folder. 3. Ensure the following files do NOT exist: Mac.prefPane and Internet.prefPane. If any of the files exist, then this is a finding.

Fix: F-28196r1_fix

1. Open System Preferences-> MobileMe. 2. On the Sync pane, uncheck "Synchronization with MobileMe" and disable all other options. Command Procedures: Open a terminal session and enter the following commands to remove the file: sudo rm -R /System/Library/PreferencePanes/Mac.prefPane sudo rm -R /System/Library/PreferencePanes/Internet.prefPane sudo touch /System/Library/Extensions

Checks: C-31711r1_chk

Open a terminal session and enter the following command: defaults read com.apple.SoftwareUpdate CatalogURL The value returned is the current Software Update Server. Verify it is an approved SUS. If no value is returned, the system is using a default Apple Update Server and this would be a finding.

Fix: F-28197r1_fix

Open a terminal session and enter one of the following commands: defaults write com.apple.SoftwareUpdate CatalogURL 'new_SUS_URL' (where 'new_SUS_URL' is the URL or the address of the appropriate government SUS to be used).

Checks: C-31712r1_chk

1. Open a terminal session and enter the following command: more /etc/authorization 2. Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, then this is a finding.

Fix: F-28198r1_fix

1. Open a terminal session and edit the following file: /etc/authorization 2. Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. 3. Save the file.

Checks: C-31713r1_chk

1. Open a terminal session and enter the following command: ls - ls /Applications/SystemPreferences.app/Contents/Resources/installAssistant 2. Ensure the file permissions are set to -rwxrwxr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28199r1_fix

1. Open a terminal session and enter the following command: chmod 775 /Applications/System Preferences.app/Contents/Resources/installAssistant.

Checks: C-31714r1_chk

1. Open a terminal session and enter the following command: ls -ls /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28200r1_fix

1. Open a terminal session and enter the following command: chmod 755 /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool

Checks: C-31715r1_chk

1. Open a terminal session and enter the following command: ls -ls /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28201r1_fix

1. Open a terminal session and enter the following command: chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Checks: C-31716r1_chk

1. Open a terminal session and enter the following command: ls -ls /System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28202r1_fix

1. Open a terminal session and enter the following command: chmod 755 /System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav

Checks: C-31717r1_chk

1. Open a terminal session and enter the following command: ls -ls /System/Library/Filesystems/AppleShare/afpLoad 2. Ensure the file permissions are set to -rwxr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28203r1_fix

1. Open a terminal session and enter the following command: chmod 755 /System/Library/Filesystems/AppleShare/afpLoad

Checks: C-31718r1_chk

1. Open a terminal session and enter the following command: ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2. Ensure the file permissions are set to -rwx--x--x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28204r1_fix

1. Open a terminal session and enter the following command: chmod 711 /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp

Checks: C-31719r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/libexec/dumpemacs 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28205r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/libexec/dumpemacs

Checks: C-31720r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/libexec/xgrid/IdleTool 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28206r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/libexec/xgrid/IdleTool

Checks: C-31722r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/sbin/vpnd 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28208r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/sbin/vpnd

Checks: C-31723r1_chk

1. Open a terminal session and enter the following command: ls -ls /sbin/route 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28209r1_fix

1. Open a terminal session and enter the following command: chmod 555 /sbin/route

Checks: C-31724r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/bin/ipcs 2. Ensure the file permissions are set to -r-x--x--x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28210r1_fix

1. Open a terminal session and enter the following command: chmod 511 /usr/bin/ipcs

Checks: C-31725r1_chk

1. Open a terminal session and enter the following command: ls -ls /bin/rcp 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28211r1_fix

1. Open a terminal session and enter the following command: chmod 555 /bin/rcp

Checks: C-31726r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/bin/rlogin 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28212r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/bin/rlogin

Checks: C-31727r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/bin/rsh 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28213r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/bin/rsh

Checks: C-31728r1_chk

1. Open a terminal session and enter the following command: ls -ls /usr/lib/sa/sadc 2. Ensure the file permissions are set to -r-xr-xr-x. If the permission is not the same or more restrictive, then this is a finding.

Fix: F-28214r1_fix

1. Open a terminal session and enter the following command: chmod 555 /usr/lib/sa/sadc

Checks: C-31731r1_chk

1. Open System Preferences->Software Updates. 2. Click the Scheduled Check pane. 3. Ensure the “Check for updates" and “Download important updates automatically” options are unchecked. If the options are checked, then this is a finding. Command Procedures: 1. Open a terminal session and enter the following command: softwareupdate --schedule 2. Verify 'Automatic check' is off. If the option is not off, then this is a finding.

Fix: F-28217r1_fix

1. Open System Preferences->Software Updates. 2. Click the Scheduled Check pane. 3. Deselect “Check for updates" and “Download important updates automatically”. Command Procedues: Open a terminal session and enter the following command to disable auto update feature: softwareupdate --schedule off

Checks: C-31732r1_chk

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account 3. Ensure "Allow guests to login to this computer" option is unchecked. If the option is checked, then this is a finding.

Fix: F-28218r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account 3. Deselect "Allow guests to login to this computer".

Checks: C-31733r1_chk

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow Guests to connect to shared folders" option is unchecked. If the option is checked, then this is a finding.

Fix: F-28219r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow Guests to connect to shared folders".

Checks: C-31736r1_chk

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure "Display login window as:" is set to "Name & password". If the option is not set to "Name & Password", then this is a finding.

Fix: F-28222r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Set "Display login window as:" to 'Name & password'.

Checks: C-31741r1_chk

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Ensure the "Enable Fast User Switching" is not checked. If the option is checked, then this is a finding.

Fix: F-28226r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Enable Fast User Switching" to disable this option.

Checks: C-31747r1_chk

Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Ensure the "Start screen saver" slider is set to 15 minutes or less. If not, then this is a finding.

Fix: F-28232r1_fix

Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Set the 'Start screen saver" slider to 15 minutes or less.

Checks: C-31749r1_chk

1. Open System Preferences - > Energy Saver - > Options Pane. 2. Ensure "Restart automatically after a power failure" is not checked. If the option is checked, then this is a finding. Note: For some Mac Books systems the "Restart automatically after a power failure" option is located on the "Power Adapter" pane.

Fix: F-28234r1_fix

1. Open System Preferences - > Energy Saver - > Options Pane. 2. Deselect "Restart automatically after a power failure" to disable this option. Note: For some Mac Books systems the "Restart automatically after a power failure" option is located on the "Power Adapter" pane.

Checks: C-31752r1_chk

1. Open System Preferences->Exposé & Spaces, Exposé pane. 2. Ensure no corners are set to "Disable Screen saver" in the 'Active Screen Corners' section for each user account. If any account is set to disable screen savers via corners, then this is a finding.

Fix: F-28237r1_fix

1. Open System Preferences->Exposé & Spaces, Exposé pane. 2. Remove any corners which are set to "Disable Screen saver" in the 'Active Screen Corners' section for each user account.

Checks: C-31753r1_chk

1. Open System Preferences -> Open Keyboard & Mouse preferences. 2. Click Bluetooth tab. 3. Ensure “Allow Bluetooth devices to wake this computer” is not checked. If the option is checked, then this is a finding.

Fix: F-28239r1_fix

1. Open System Preferences -> Keyboard & Mouse preferences. 2. Click Bluetooth tab. 3. Deselect “Allow Bluetooth devices to wake this computer”.

Checks: C-31755r1_chk

1. Open System Preferences - > Network. 2. From the list of hardware devices, select AirPort. 3. Ensure the 'Status' is set to 'Inactive'. If the service is not inactive or removed, then this is a finding.

Fix: F-28240r1_fix

1. Open System Preferences - > Network. 2. From the list of hardware devices, select AirPort. 3. Set this service to 'Inactive' by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)

Checks: C-31756r1_chk

1. Open System Preferences - > Network. 2. From the list of hardware devices, select Bluetooth. 3. Ensure the "Status" is set to 'Inactive'. If the service is not inactive or removed, then this is a finding.

Fix: F-28242r1_fix

1. Open System Preferences - > Network. 2. From the list of hardware devices, select Bluetooth. 3. Set this service to Inactive by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)

Checks: C-31758r1_chk

1. Open System Preferences - > Network. 2. From the list of hardware devices, select Firewire. 3. Ensure the "Status" is set to 'Inactive'. If the service is not set to inactive or removed, then this is a finding.

Fix: F-28243r1_fix

1. Open System Preferences - > Network. 2. From the list of hardware devices, select Firewire. 3. Set this service to 'Inactive' by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose 'Manually'.)

Checks: C-31759r1_chk

1. Open System Preferences - > Network. 2. Click Advanced. 3. Click the TCP/IP tab 4. Ensure "Configure IPv6" is set to 'Off'. If option is not set to 'Off', then this is a finding. Note: this must be checked on all network interfaces.

Fix: F-28244r1_fix

1. Open System Preferences - > Network. 2. Click Advanced 3. CLick the TCP/IP tab and set "Configure IPv6" to 'Off', if not actively being used. Note: this must be disabled on each network interface.

Checks: C-31760r1_chk

1. Open System Preferences->QuickTime, Browser Pane. 2. Ensure "Play Movies Automatically" is not checked. If the option is checked, then this is a finding.

Fix: F-28245r1_fix

1. Open System Preferences->QuickTime, Browser Pane. 2. Deselect "Play Movies Automatically".

Checks: C-31761r1_chk

1. Open System Preferences->QuickTime, Browser Pane. 2. Ensure "Save Movies in disk cache" is not checked. If option is checked, then this is a finding.

Fix: F-28246r1_fix

1. Open System Preferences->QuickTime, Browser Pane. 2. Deselect "Save Movies in disk cache".

Checks: C-31762r1_chk

1. Open System Preferences->QuickTime. 2. Click Advanced tab. 3. Ensure "Enable Kiosk Mode" is selected. If setting is not checked, then this is a finding.

Fix: F-28247r1_fix

1. Open System Preferences->QuickTime, Advanced Pane. 2. Select "Enable Kiosk Mode".

Checks: C-31763r1_chk

1. Open System Preferences->Security. 2 Select General tab. 3. Ensure "Require password to wake this computer from sleep or screen saver" is checked. If option is not checked, then this is a finding.

Fix: F-28248r1_fix

1. Open System Preferences->Security. 2 Select General tab. 3. Select "Require password to wake this computer from sleep or screen saver".

Checks: C-31766r1_chk

1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Require password to unlock each System Preferences Pane" is checked. If option is not checked, then this is a finding.

Fix: F-28250r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Require password to unlock each System Preferences Pane".

Checks: C-31769r1_chk

1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Use Secure Virtual Memory" is checked. If option is not checked, then this is a finding.

Fix: F-28252r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Use Secure Virtual Memory".

Checks: C-31771r1_chk

1. Open System Preferences->Security. 2. Select General tab. 3. Ensure "Disable remote control infrared receiver" is checked. If the option is not checked, then this is a finding.

Fix: F-28253r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable remote control infrared receiver".

Checks: C-31773r1_chk

If IR Receiver is disabled, then mark this check N/A. See V25333/OSX00445. If IR is enabled, then ensure it is paired to this computer by performing the following: 1. Open System Preferences->Security Pane. 2. Select General tab. 3. Ensure IR Remote Control is paired to this system.

Fix: F-28256r1_fix

1. Open System Preferences->Security Pane. 2. Select General tab. 3. Click "Pair" to pair IR Remote Control to this system.

Checks: C-31774r1_chk

1. Open System Preferences->Security. 2. Select Firewall tab. 3. Ensure "Set access for specific services and applications" is selected and only essential Services and Applications are listed in the 'Allow incoming connections' section. If not, then this is a finding. .

Fix: F-28257r1_fix

1. Open System Preferences->Security. 2. Select Firewall tab. 3. Select Set access for specific services and applications 4. Add only essential services and applications for incoming connections and remove unneeded services and applications.

Checks: C-31775r1_chk

1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Ensure "Enable Firewall logging" is checked. If option is not checked, then this is a finding. Note: If the Mac OS X firewall has not been configured this setting will be unavailable.

Fix: F-28258r1_fix

1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Select "Enable Firewall logging".

Checks: C-31776r1_chk

This check applies to mobile platforms only. 1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Ensure "Enable Stealth mode" is checked. If the option is not checked, then this is a finding.

Fix: F-28259r1_fix

1. Open System Preferences->Security. 2. Select Firewall tab. 3. Click on Advanced. 4. Select "Enable Stealth mode".

Checks: C-31777r1_chk

1. Open System Preferences->Sharing. 2. Ensure "DVD or CD Sharing" service does not have the 'On' box checked. If the box is checked, then this is a finding.

Fix: F-28260r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the 'On' box for "DVD or CD Sharing" service.

Checks: C-31779r1_chk

1. Open System Preferences->Sharing. 2. Ensure "Screen Sharing" service does not have the 'On' box checked. If the box is checked, then this is a finding.

Fix: F-28261r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the 'On' box for "Screen Sharing" service.

Checks: C-31780r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "File Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28262r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "File Sharing" service.

Checks: C-31781r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Printer Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28263r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Printer Sharing" service.

Checks: C-31782r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Web Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28264r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Web Sharing" service.

Checks: C-31783r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Login" service is not checked. If the box is checked, then this is a finding.

Fix: F-28265r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Login" service.

Checks: C-31784r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Management" service is not checked. If the box is checked, then this is a finding.

Fix: F-28271r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Management" service.

Checks: C-31785r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Remote Apple Events" service is not checked. If the box is checked, then this is a finding.

Fix: F-28272r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Apple Events" service.

Checks: C-31786r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Xgrid Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28273r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Xgrid Sharing" service.

Checks: C-31787r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Internet Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28275r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Internet Sharing" service.

Checks: C-31788r1_chk

1. Open System Preferences->Sharing. 2. Ensure the "On'" box for "Bluetooth Sharing" service is not checked. If the box is checked, then this is a finding.

Fix: F-28276r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Bluetooth Sharing" service.

Checks: C-31789r1_chk

1. Choose Mail > Preferences, and then click Accounts. 2. Select an account, and then click Advanced. 3. Ensure "Use SSL" is selected. 4. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). 5. Click Account Information. 6. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. 7. From the server list, select your outgoing mail server, and then click Advanced. 8. Ensure Secure Socket Layer (SSL) is selected. 9. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, or Kerberos Version 5 (GSSAPI)). Note: if you are not using the Mac Mail Application is check does not apply.

Fix: F-28278r1_fix

1. Choose Mail > Preferences, and then click Accounts. 2. Select an account, and then click Advanced. 3. Select "Use SSL". 4. From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). 5. Click Account Information. 6. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. 7. From the server list, select your outgoing mail server and then click Advanced. 8. Select "Secure Socket Layer (SSL)". 9. From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, or Kerberos Version 5 (GSSAPI)). 10. Close the preferences window, and then click Save in the message that appears.

Checks: C-31792r1_chk

1 Open Finder > Preferences > Sidebar. 2. Ensure the iDisk icon is not selected. If the option is selected, then this is a finding. This must be done for each user on the system.

Fix: F-28282r1_fix

1 Open Finder -> Preferences -> Sidebar. 2. De-select the iDisk icon. This must be done for each user on the system.

Checks: C-31817r1_chk

Verify with the SA that the site has a password policy. If the site does not have a password policy, then this is a finding.

Fix: F-28318r1_fix

The site must create a password policy that meets the requirements of the DoD information system.

Checks: C-31800r1_chk

Interview the SA to determine if equipment is located in an controlled access area.

Fix: F-28295r1_fix

Relocate equipment to a controlled access area.

Checks: C-31801r1_chk

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account (which provides no individual identification and accountability) is mitigated. Note: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if that machine is stand-alone and has no access to the network.

Fix: F-28296r1_fix

Remove any shared accounts that do not meet the exception requirements listed.

Checks: C-31802r1_chk

1. Open a terminal session and enter one of the following commands: sudo softwareupdate --list or sudo softwareupdate --list --all. 2. Review the results and verify the current approved software patches are applied.

Fix: F-28297r1_fix

Install the current OS updates and patches.

Checks: C-31804r1_chk

Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location.

Fix: F-28299r1_fix

Create and maintain an emergency admininstrator account for emergency situations.

Checks: C-31805r1_chk

Interview the SA or IAM to determine if the site has a policy that requires the default and backup admin passwords to be changed at least annually or when any member of the administrative team leaves the organization.

Fix: F-13549r1_fix

Define a policy for required password changes for the default and backup admin account.

Checks: C-31806r1_chk

The site should have a local policy to ensure that passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.

Fix: F-28300r1_fix

Create application/service account passwords that are at least 15 characters in length and meet complexity requirements. Change application/service account passwords that are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.

Checks: C-31807r1_chk

1. Open System Preferences. 2. Click the Security Icon 3. Click the General Tab 3. Ensure "Activate screen saver when login token is removed" option is selected. If the option is not selected, then this is a finding. Note: if you are not using a smart card application this check does not apply.

Fix: F-28301r1_fix

1. Open System Preferences. 2. Click the Security Icon 3. Click the General Tab 4. Select "Activate screen saver when login token is removed".

Checks: C-31808r1_chk

The following files are used in the auditing process and access to these files should be restricted to an auditor’s group. If the file permissions are not at least as restrictive as listed below then this is a finding. Open a terminal session and verify the following permissions: /usr/sbin/auditd 555 /usr/sbin/audit 555 /usr/sbin/auditreduce 744 /etc/security/rc.audit 400 /etc/security/audit_control 400 /etc/security/audit_class 444 /etc/security/audit_event 444 /etc/security/audit_user 400 /etc/security/audit_warn 555

Fix: F-28302r1_fix

Open a terminal session and set the following file permissions: /usr/sbin/auditd 555 /usr/sbin/audit 555 /usr/sbin/auditreduce 744 /etc/security/rc.audit 400 /etc/security/audit_control 400 /etc/security/audit_class 444 /etc/security/audit_event 444 /etc/security/audit_user 400 /etc/security/audit_warn 555

Checks: C-31956r1_chk

To securely configure Spotlight preferences: 1. Open System Preferences 2. Click the Spotlight Icon. 3. In the Search Results pane, verify the categories you don’t want searchable by Spotlight are unchecked. 4. Click the Privacy pane. 5. Verify the correct folders and disks are in the Privacy pane; these are not searchable by Spotlight.

Fix: F-28370r1_fix

To securely configure Spotlight preferences: 1. Open System Perferences 2. Click the Spotlight Icon. 2. In the Search Results pane, deselect categories you don’t want searchable by Spotlight. 3. Click the Privacy pane. 4. Click the Add button or drag a folder or disk into the Privacy pane. 5. Folders and disks in the Privacy pane are now not searchable by Spotlight.

Checks: C-32099r1_chk

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Digitally sign all packets (requires Kerberos)" is checked. If the value is not checked, then this is a finding.

Fix: F-28497r1_fix

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Digitally sign all packets (requires Kerberos)"

Checks: C-32100r1_chk

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Encrypt all packets (requires SSL or Kerberos)" is checked. If the value is not checked, then this is a finding.

Fix: F-28498r1_fix

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and select "Encrypt all packets (requires SSL or Kerberos)"

Checks: C-32101r1_chk

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click on Security tab and verify the "Block man-in-the-middle attacks (requires Kerberos)" is checked. If the value is not checked, then this is a finding

Fix: F-28499r1_fix

Open Finder Click Applications Double Click Utility Double Click Directory Utility Click the Show Advanced Options button Click Services tab Click the Lock and enter the password to unlock the options(if needed) Click the LDAPv3 service Click the Pencil icon Highlight the Server Name/Configuration Name Click Edit Click the Security tab and select "Block man-in-the-middle attacks (requires Kerberos)"

Checks: C-32702r1_chk

This command should indicate any files having an incorrect owner or permissions less restrictive than what the original permissions were set to. If the results indicate the owner or permissions changed, this is a finding.

Fix: F-28790r1_fix

Run the command: sudo diskutil repairPermissions / Note: If permissions were made more restrictive than the package manager expects (as later rules require), then these tightened permissions will need to be reapplied after running this command.

Checks: C-32703r1_chk

Run the command: sudo launchctl list If a line for com.apple.mDNSResponder appears, then this is a finding. Note: This command must NOT be run on Mac OS X 10.6, as it will disable all DNS resolution.

Fix: F-28791r1_fix

Run the command: sudo launchctl -w unload com.apple.mDNSResponder to disable Bonjour.

Checks: C-31669r1_chk

Verify unnecessary packages are not installed. Open a terminal session and enter the following command: pkgutil / --pkgs Review the packages that are installed, determine if the installed packages are needed. If not, then this is a finding.

Fix: F-28155r1_fix

Review the packages that are installed using the following command: pkgutil / --pkgs Determine if the installed packages are needed. If not, verify any dependencies and use the rm command to remove them.