MAC OSX 10.6 Workstation Security Technical Implementation Guide

Checks: C-37044r1_chk

Enter the following command to view users with a UID of "0": grep :0 /etc/passwd If any user other than root has a UID of "0", this is a finding.

Fix: F-32312r1_fix

Edit the /etc/passwd file and change the UID of the duplicate to an unused UID.

Checks: C-37050r1_chk

Open a terminal session and use the following command to verify the system directories do not have uneven file permissions. ls -lL /etc /bin /usr/bin /sbin /usr/sbin If any directories listed contain uneven file permissions, this is a finding.

Fix: F-32315r1_fix

Use the "chmod" command to set the mode of files with uneven permissions so the owners do not have less permission than group or world users.

Checks: C-37567r1_chk

Open a terminal session and enter the following command. find / -nouser Review the results. If any files do not have a valid owner, this is a finding.

Fix: F-32810r1_fix

Determine the legitimate owner of the files and use the "chown" command to set the owner and group to the correct value. If the legitimate owner cannot be determined, examine the files to determine their origin and the reason for their lack of an owner/group.

Checks: C-37568r1_chk

Open a terminal session and enter the following command to check the mode of network services daemons (all on one line). find /usr/sbin -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all files that are group or world-writable. If any network services daemon listed is world or group-writable (either or both of the 2 lowest order digits containing a 2, 3, 6, or 7), this is a finding.

Fix: F-32811r1_fix

Open a terminal session and use the following command to change the mode of the network services daemon. chmod 755 <path of network services daemon file>

Checks: C-37569r1_chk

Open a terminal session and enter the following command to verify the permissions. ls -lLR /var/log /var/audit If any of the log files have modes more permissive than 644, this is a finding.

Fix: F-32812r1_fix

Open a terminal session and enter the following command to change the mode of the system log file(s). chmod 644 <path/to/system log file>

Checks: C-37571r1_chk

Open a terminal session and enter the following command to verify the permissions on library and framework files, all on one line. find /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib -type f -perm +022 -exec stat -f %Lp:%N {} \; If any of the library files have a mode more permissive than 0755, this is a finding.

Fix: F-32814r1_fix

Open a terminal session and enter the following command to change the mode of library files to 0755 or less permissive. chmod 0755 <path/to/library-file> NOTE: Library files should have an extension of ".a" or ".so", possibly followed by a version number. Frameworks are directories that may already contain files with more restrictive permissions than 755 and thus should not have their modes changed to 755 recursively.

Checks: C-37572r1_chk

Open a terminal session and enter the following command to verify command file permissions. find /bin /sbin /usr/bin /usr/sbin -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all group or world-writable files. If any file listed is world or group-writable (either or both of the two lowest order digits contain a "2", "3", "6", or "7"), this is a finding.

Fix: F-32815r3_fix

Open a terminal session and enter the following command to change the mode for system command files to remove group and world write permissions. # chmod go-w <path/filename>

Checks: C-37573r1_chk

Open a terminal session and enter the following command to verify the ownership of system files, programs, and directories. Procedure: ls -lLa/bin /usr/bin /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.

Fix: F-32816r1_fix

Open a terminal session and enter the following command to change the owner of system files, programs, and directories to a system account. chown root <path/filename>

Checks: C-37574r1_chk

Open a terminal session and use the following command to verify group ownership of system files, programs, and directories. ls -lLa /usr/bin If any system file, program, or directory is not owned by a system group, this is a finding.

Fix: F-32817r1_fix

Open a terminal session and enter the following command to change the group ownership of system files, programs, and directories to a system group. chgrp wheel <path/filename>

Checks: C-37575r1_chk

Open a terminal session and enter the following command to verify the permissions on the password file. ls -Ll /etc/passwd If the permissions are not set to 644, this is a finding.

Fix: F-32818r1_fix

Open a terminal session and enter the following command to set the permissions for the password file. chmod 644 /etc/passwd

Checks: C-37577r1_chk

Open a terminal session and enter the following command to verify the ownership of all public directories. find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-32819r1_fix

Open a terminal session and enter the following command to change the owner of public directories to root or an application account. chown root /tmp (Replace root with an application user and/or "/tmp" with another public directory as necessary.)

Checks: C-37779r1_chk

Open a terminal session and use the following command to verify the owner of audit logs in the /var/audit directory. ls -lL /var/audit If any file in the /var/audit directory is not owned by root, this is a finding.

Fix: F-33026r1_fix

Open a terminal session and use the following command to change the owner of the file. chown root /var/audit/<filename>

Checks: C-37780r1_chk

Open a terminal session and use the following command to verify the permissions. ls -lL /var/audit If any audit log file has a mode more permissive than 640, this is a finding.

Fix: F-33027r1_fix

Open a terminal session and use the following command to set the permissions of the audit log file. chmod 640 /var/audit <filename>

Checks: C-37578r1_chk

Open a terminal session and enter the following command to verify ownership of the services file. ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-32820r1_fix

Open a terminal session and enter the following command to set the ownership of the services file. chown root /etc/services

Checks: C-37579r1_chk

Open a terminal session and enter the following command to verify the mode of the services file. ls -lL /etc/services If the services file has a mode more permissive than 0644, this is a finding.

Fix: F-32821r1_fix

Open a terminal session and enter the following command to set the mode of the services file. chmod 0644 /etc/services

Checks: C-37580r1_chk

Open a terminal session and enter the following commands to verify ownership of local initialization files. ls -al /&lt;usershomedirectory&gt;/.login ls -al /&lt;usershomedirectory&gt;/.cshrc ls -al /&lt;usershomedirectory&gt;/.logout ls -al /&lt;usershomedirectory&gt;/.profile ls -al /&lt;usershomedirectory&gt;/.bash_profile ls -al /&lt;usershomedirectory&gt;/.bashrc ls -al /&lt;usershomedirectory&gt;/.bash_logout ls -al /&lt;usershomedirectory&gt;/.env ls -al /&lt;usershomedirectory&gt;/.dtprofile ls -al /&lt;usershomedirectory&gt;/.dispatch ls -al /&lt;usershomedirectory&gt;/.emacs ls -al /&lt;usershomedirectory&gt;/.exrc find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs ! -user &lt;username&gt; -exec ls -ld {} \; If local initialization files are not owned by the home directory's user or root, this is a finding.

Fix: F-32822r1_fix

Open a terminal session and enter the following command to change the ownership of the start-up and login files in the user’s directory to the user or root, as appropriate. Examine each user’s home directory and verify all filenames beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. chown <username> </directory/filename>

Checks: C-37706r1_chk

Open a terminal session and enter the following command to check the mode of launchctl plist files (all on one line). find /System/Library/LaunchDaemons /System/Library/LaunchAgents /Library/LaunchAgents /Library/LaunchDaemons -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all files that are group or world writeable. If any launchctl plist file listed is world or group writeable (either or both of the 2 lowest order digits containing a 2, 3, 6, or 7), this is a finding.

Fix: F-32944r1_fix

Open a terminal session and enter the following command to set the mode of the run control script file. chmod 755 <startup file>

Checks: C-37581r1_chk

Open a terminal session and enter the following command to check the system for the existence of any .netrc files. find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-32823r1_fix

To remove the .netrc file(s) enter the following command. rm .netrc

Checks: C-37583r1_chk

Open a terminal session and enter the following command to verify the ownership of the system shell files. cat /etc/shells | xargs -n1 ls -lL If any shell file is not owned by root, this is a finding.

Fix: F-32825r1_fix

Open a terminal session and enter the following command to change the ownership of the shell file with incorrect ownership. chown root <shell>

Checks: C-37585r1_chk

Open a terminal session and enter the following command to verify permissions. find / -perm -2 -a \( -type b -o -type c \) &gt; devicelist Check the permissions on the directories above subdirectories in the devicelist file. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable (such as /dev/null), this is a finding.

Fix: F-32827r1_fix

Open a terminal session and enter the following command to set the mode of the device file. chmod 755 <device file>

Checks: C-37586r1_chk

Open a terminal session and enter the following command to check the system for NFS mounts not using the "nosuid" option. mount -t nfs | egrep -v "nosuid" If anything is returned, the mounted file systems do not have the "nosuid" option and this is a finding.

Fix: F-32828r2_fix

Open a terminal session and edit /etc/auto_master and add the "nosuid" option at the end of the line that begins with /net. In the same terminal session, edit /etc/fstab and add the "nosuid" option to any lines for NFS mounts. Remount the NFS file systems to make the change take effect.

Checks: C-37587r1_chk

Open a terminal session and enter the following command to verify the ownership of the file. ls -lL /etc/smb.conf If an smb.conf file is not owned by root, this is a finding.

Fix: F-32829r1_fix

Open a terminal session and enter the following command to set the owner of the smb.conf file to root. chown root /etc/smb.conf

Checks: C-37588r1_chk

Open a terminal session and enter the following command to verify the permissions of the /etc/smb.conf file. ls -lL /etc/smb.conf If the value is not set to 0644, this is a finding.

Fix: F-32830r1_fix

Open a terminal session and enter the following command to set the mode of the smb.conf file. chmod 644 /etc/smb.conf

Checks: C-37781r1_chk

Open a terminal session and use the following command to view the setting for password history. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep usingHistory If the value of usingHistory is less than 15, this is a finding. NOTE: If the command returns a response of password server is not configured, the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep usingHistory

Fix: F-33031r1_fix

Open a terminal session and use the following command to set the value for usingHistory. sudo pwpolicy -n -setglobalpolicy "usingHistory=15" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=15"

Checks: C-37043r1_chk

Open a terminal session and enter the following command to verify the ownership is set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect ownership, this is a finding.

Fix: F-32311r1_fix

Open a terminal session and enter the following command to reset the ownership to the original installation settings. diskutil repairPermissions /

Checks: C-37369r1_chk

Open a terminal session and enter the following command to verify the ownership is set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect ownership, this is a finding.

Fix: F-32606r1_fix

Open a terminal session and enter the following command to reset the file ownership to their original settings. diskutil repairPermissions /

Checks: C-37590r1_chk

Open a terminal session and enter the following command to verify the mode of the "at" directory. ls -ld /var/at If the directory mode is more permissive than 0755, this is a finding.

Fix: F-32832r1_fix

Open a terminal session and enter the following command to set the mode of the "at" directory to 755. chmod 755 /var/at

Checks: C-37591r1_chk

Open a terminal session and enter the following command to verify the owner of the "at" directory. ls -ld /var/at If the directory is not owned by root, bin, sys, or system, this is a finding.

Fix: F-32833r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /var/at

Checks: C-37592r1_chk

Open a terminal session and enter the following command to determine what "at" jobs exist on the system. ls /var/at/spool If no "at" jobs are present, this is not applicable. To determine if any of the "at" jobs or any scripts referenced execute the "umask" command check for any umask setting more permissive than 077. grep umask /var/at/spool&lt;at job or referenced script&gt; If any "at" job or referenced script sets umask to a value more permissive than 077, this is a finding.

Fix: F-32834r1_fix

Open a terminal session and edit "at" jobs or referenced scripts to remove "umask" commands setting umask to a value less restrictive than 077.

Checks: C-37594r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /var/at/at.deny If the at.deny file is not owned by root, sys, or bin, this is a finding.

Fix: F-32836r1_fix

Open a terminal session and enter the following command to set the owner of the at.deny file. chown root /var/at/at.deny

Checks: C-37595r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /usr/sbin/traceroute If the traceroute command is not owned by root, this is a finding.

Fix: F-32837r1_fix

Open a terminal session and enter the following command to set the owner of the traceroute command. chown root /usr/sbin/traceroute

Checks: C-37596r1_chk

Open a terminal session and enter the following command to verify the group ownership of the traceroute command. ls -lL /usr/sbin/traceroute If the traceroute command is not group owned by wheel, this is a finding.

Fix: F-32838r1_fix

Open a terminal session and enter the following command to set the group ownership of the traceroute command. chgrp wheel /usr/sbin/traceroute

Checks: C-37597r1_chk

Open a terminal session and enter the following command to verify the permissions on the traceroute command. ls -lL /usr/sbin/traceroute If the traceroute command has a mode more permissive than 0700, this is a finding.

Fix: F-32839r1_fix

Open a terminal session and enter the following command to set the mode of the traceroute command. chmod 700 /usr/sbin/traceroute

Checks: C-37598r1_chk

Open a terminal session and enter the following command to search for any .forward files on the system. find / -name .forward -print If any .forward files are found on the system, this is a finding.

Fix: F-32840r1_fix

Open a terminal session and enter the following command to remove .forward files from the system. rm <path of .forward files>

Checks: C-37599r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /etc/syslog.conf If the syslog.conf file is not owned by root, this is a finding.

Fix: F-32841r1_fix

Open a terminal session and use the following command to set the owner of the syslog.conf file. chown root /etc/syslog.conf

Checks: C-37600r1_chk

Open a terminal session and enter the following command to verify the group ownership of the syslog.conf file. ls -lL /etc/syslog.conf If the syslog.conf file is not group owned by wheel, this is a finding.

Fix: F-32842r1_fix

Open a terminal session and enter the following command to set the group ownership of the syslog.conf file. chgrp wheel /etc/syslog.conf

Checks: C-37601r1_chk

Open a terminal session and enter the following command to verify uucp is disabled. defaults read /System/Library/LaunchDaemons/com.apple.uucp Disabled If a 1 is not returned, this is a finding.

Fix: F-32843r1_fix

Open a terminal session and use the following command to disable uucp. launchctl unload -w /System/Library/LaunchDaemons/com.apple.uucp.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

Checks: C-37603r1_chk

Open a terminal session and enter the following commands to verify the permissions on the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization files are more permissive than 0644, this is a finding.

Fix: F-32845r1_fix

Open a terminal session and enter the following command to set the mode on the global initialization files. chmod 644 /etc/<filename>

Checks: C-37604r1_chk

Open a terminal session and enter the following commands to verify the owner of the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization file is not owned by root, this is a finding.

Fix: F-32846r1_fix

Open a terminal session and enter the following command to set the owner of the global initialization files. chown root /etc/<filename>

Checks: C-37605r1_chk

Open a terminal session and enter the following commands to verify the group ownership on the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization file is not group owned by wheel, this is a finding.

Fix: F-32847r1_fix

Open a terminal session and use the following command to set the group ownership of the global initialization files. chgrp wheel /etc/<filename>

Checks: C-37606r1_chk

Open a terminal session and enter the following command. sysctl -a | grep net.inet.ip.fw.enable If the value of "net.inet.ip.fw.enable" is not set to "0", this is a finding.

Fix: F-32848r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.fw.enable=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37607r1_chk

If an IM client is installed, ask the SA if it has access to any public domain IM servers. If it does have access to public servers, this is a finding.

Fix: F-32849r1_fix

Uninstall the IM client from the system, or configure the client to only connect to DoD-approved IM services.

Checks: C-37608r1_chk

Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications include. - Napster, - Kazaa, - ARES, - Limewire, - IRC Chat Relay, and - BitTorrent. If any of these applications are installed, this is a finding.

Fix: F-32850r1_fix

Uninstall the peer-to-peer file sharing application(s) from the system.

Checks: C-37609r1_chk

Open a terminal session and enter the following command to search the system for files without a valid group owner. find / -nogroup -print If any files are found, this is a finding.

Fix: F-32851r1_fix

Use the following command to change the group owner for each file without a valid group owner. chgrp <a-valid-group> <path>/<file-without-a-valid-group-owner>

Checks: C-37610r1_chk

Open a terminal session and enter the following command to view the network services daemon ACLs. ls -la /usr/sbin If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32852r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /usr/sbin/ <file with extended ACL>

Checks: C-37611r1_chk

Open a terminal session and enter the following command to view extended ACLs. find /bin /sbin /usr/bin /usr/sbin -print -exec ls -lLd \{\} \; | egrep '^..........+' If any command files are shown with permissions that include a '+', the file has an extended ACL, this is a finding.

Fix: F-32853r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <path/file with extended ACL>

Checks: C-37612r1_chk

Open a terminal session and enter the following command to view the system log files ACLs. ls -lLR /var/log If the permissions include a '+', the file has an extended ACL. If an extended ACL exists, verify with the SA if the ACL is required to support authorized software and provides the minimum necessary permissions. If an extended ACL exists, providing access beyond the needs of authorized software, this is a finding.

Fix: F-32854r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /var/log<file with extended ACL>

Checks: C-37614r1_chk

Open a terminal session and enter the following command to view the library file ACLs. ls -lLR /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32856r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -RN /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib

Checks: C-37616r1_chk

Open a terminal session and enter the following command to verify the owner of the resolv.conf file. ls -lL /etc/resolv.conf If the resolv.conf file is not owned by root, this is a finding.

Fix: F-32858r1_fix

Open a terminal session and enter the following command to set the owner of the resolv.conf file. chown root /etc/resolv.conf

Checks: C-37617r1_chk

Open a terminal session and enter the following command to verify the group ownership of the resolv.conf file. ls -lL /etc/resolv.conf If the resolv.conf file is not group owned by wheel, this is a finding.

Fix: F-32859r1_fix

Open a terminal session and enter the following command to set the group ownership of the resolv.conf file. chgrp wheel /etc/resolv.conf

Checks: C-37451r1_chk

Open a terminal session and enter the following command to verify the permissions on the file. ls -Ll /etc/resolv.conf If the permissions are not set to 644, this is a finding.

Fix: F-32697r1_fix

Open a terminal session and enter the following command to set permissions on the file. chmod 644 /etc/resolv.conf

Checks: C-37618r1_chk

Open a terminal session and enter the following command to view the resolv.conf file extended ACLs. ls -lL /etc/resolv.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32860r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/resolv.conf

Checks: C-37619r1_chk

Open a terminal session and enter the following command to verify the owner of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file is not owned by root, this is a finding.

Fix: F-32861r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/hosts

Checks: C-37620r1_chk

Open a terminal session and enter the following command to verify the group ownership of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file is not group owned by wheel, this is a finding.

Fix: F-32862r1_fix

Open a terminal session and enter the following command to set the group to root. chgrp wheel /etc/hosts

Checks: C-37621r1_chk

Open a terminal session and enter the following command to verify the permissions of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file permissions are not set to 644, this is a finding.

Fix: F-32863r1_fix

Open a terminal session and use the following command to set the mode of the etc/hosts file. chmod 644 /etc/hosts

Checks: C-37622r1_chk

Open a terminal session and enter the following command to view the /etc/hosts file extended ACLs. ls -lL /etc/hosts If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32864r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/hosts

Checks: C-37624r1_chk

Open a terminal session and enter the following command to verify the owner of the etc/passwd file. ls -lL /etc/passwd If the /etc/passwd file is not owned by root, this is a finding.

Fix: F-32866r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/passwd

Checks: C-37625r1_chk

Open a terminal session and enter the following command to verify the group ownership of the etc/passwd file. ls -lL /etc/passwd If the /etc/passwd file is not group owned by wheel, this is a finding.

Fix: F-32867r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel /etc/passwd

Checks: C-37626r1_chk

Open a terminal session and enter the following command to view the /etc/passwd file extended ACLs. ls -lL /etc/passwd If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32868r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/passwd

Checks: C-37628r1_chk

Open a terminal session and enter the following command to verify the owner of the /etc/group file. ls -lL /etc/group If the /etc/group file is not owned by root, this is a finding.

Fix: F-32870r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/group

Checks: C-37629r1_chk

Open a terminal session and enter the following command to verify the group ownership of the /etc/group file. ls -lL /etc/group If the /etc/group file is not group owned by wheel, this is a finding.

Fix: F-32871r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel /etc/group

Checks: C-37631r1_chk

Open a terminal session and enter the following command to verify the permissions of the /etc/group file. ls -lL /etc/group If the /etc/group file permissions are not set to 644, this is a finding.

Fix: F-32872r1_fix

Open a terminal session and enter the following command to set the mode of the /etc/group file. chmod 644 /etc/group

Checks: C-37632r1_chk

Open a terminal session and enter the following command to view the /etc/group file extended ACLs. ls -lL /etc/group If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32873r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/group

Checks: C-37683r1_chk

Open a terminal session and enter the following commands to view the group ownership of the user’s directories and files. ls -l /Users (shows users directory) ls -lL /Users/ &lt;each user directory&gt; If any directory or file is not group owned by the user or a know users group, this is a finding.

Fix: F-32922r1_fix

chgrp <group with user as member> <file with bad group ownership>

Checks: C-37634r1_chk

Open a terminal session and enter the following command. find /Users -print -exec ls -lLd \{\} \; | grep '^..........+' If files are shown with permissions that include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32875r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <user file with extended ACL>

Checks: C-37635r1_chk

Open a terminal session and enter the following command to verify the launch control scripts have no extended ACLs. ls -lL /System/Library/LaunchDaemons /System/Library/LaunchAgents /Library/LaunchDaemons /Library/LaunchAgents If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32876r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <launch control script with extended ACL>

Checks: C-37636r1_chk

Open a terminal session and enter the following command to view extended ACLs. cat /etc/shells | xargs -n1 ls -lL If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32877r1_fix

Open a terminal session and use the following command to remove the extended ACLs. chmod -N <shell file with extended ACL>

Checks: C-37639r1_chk

Open a terminal session and enter the following command to view the ACLs of the audit files. ls -Ll /var/audit If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32880r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N </var/audit/ file with extended ACL>

Checks: C-37642r1_chk

Open a terminal session and enter the following command to view the ACLs of the cron.allow file. ls -l /private/var/at/cron.allow If the file exists and the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32883r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /private/var/at/cron.allow

Checks: C-37680r1_chk

Open a terminal session and enter the following commands to verify the group ownership of the "crontab" files. ls -lL /usr/sbin/cron ls -lL /usr/lib/cron ls -lL /usr/bin/crontab ls -lL /private/var/at/cron.deny If the group-owner is not wheel or the crontab owner's primary group, this is a finding.

Fix: F-32920r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel <crontab file>

Checks: C-37644r1_chk

Open a terminal session and enter the following commands to view the extended ACLs of the crontab file. ls -lL /usr/sbin/cron ls -lL /usr/lib/cron ls -lL /usr/bin/crontab ls -lL /private/var/at/cron.deny If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32885r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <crontab file>

Checks: C-37645r1_chk

Open a terminal session and enter the following commands to view the extended ACLs of the crontab directory. ls -ld /usr/sbin/cron ls -ld /usr/lib/cron ls -ld /usr/bin/crontab ls -ld /private/var/at/cron.deny If the permissions include a '+', the directory has an extended ACL, this is a finding.

Fix: F-32886r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <crontab directory>

Checks: C-37647r1_chk

Open a terminal session and enter the following command to view the ACLs of the cron.deny file. ls -l /private/var/at/cron.deny If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32888r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /private/var/at/cron.deny

Checks: C-37649r1_chk

Open a terminal session and enter the following command to verify the group ownership of the cron.allow file. ls -lL /private/var/at/cron.allow If the file exists and is not group owned by wheel, this is a finding.

Fix: F-32890r1_fix

Open a terminal session and enter the following command. chgrp wheel /private/var/at/cron.allow

Checks: C-37650r1_chk

Open a terminal session and enter the following command to verify the group ownership of the "/private/var/at/cron.deny" file. ls -lL /private/var/at/cron.deny If the "/private/var/at/cron.deny" file is not group owned by wheel, this is a finding.

Fix: F-32891r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /private/var/at/cron.deny

Checks: C-37656r1_chk

Open a terminal session and use the following command to verify the system does not allow core dumps. sysctl -a | grep kern.coredump If kern.coredump is not set to 0, this is a finding.

Fix: F-32897r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following entry. kern.coredump=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37658r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.icmp.bmcastecho". sysctl -a | grep net.inet.icmp.bmcastecho If the value is not set to "1", this is a finding.

Fix: F-32899r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.icmp.bmcastecho=1 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37659r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.sourceroute". sysctl -a | grep net.inet.ip.sourceroute If the value of "net.inet.ip.sourceroute" is not set to "0", this is a finding.

Fix: F-32900r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.sourceroute=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37660r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.accept_sourceroute". sysctl -a | grep net.inet.ip.accept_sourceroute If the value of "net.inet.ip.accept_sourceroute" is not set to "0", this is a finding.

Fix: F-32901r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.accept_sourceroute=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37661r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.icmp.drop_redirect". sysctl -a | grep net.inet.icmp.drop_redirect If the value of "net.inet.icmp.drop_redirect" is not set to "0", this is a finding.

Fix: F-32902r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.icmp.drop_redirect=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37662r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.redirect". sysctl -a | grep net.inet.ip.redirect If the value of "net.inet.ip.redirect" is not set to "0", this is a finding.

Fix: F-32903r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.redirect=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

Checks: C-37663r1_chk

Open a terminal session and enter the following command to verify the group ownership of the /etc/services file. ls -lL /etc/services If the /etc/services file is not group owned by wheel, this is a finding.

Fix: F-32904r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /etc/services

Checks: C-37664r1_chk

Open a terminal session and enter the following command to view the /etc/services file extended ACLs. ls -lL /etc/services If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32905r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/services

Checks: C-37665r1_chk

Open a terminal session and enter the following command to view the "/usr/sbin/traceroute" file extended ACLs. ls -lL /usr/sbin/traceroute If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32906r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /usr/sbin/traceroute

Checks: C-37666r1_chk

Open a terminal session and use the following command to verify the group ownership of the /etc/aliases file. ls -lL /etc/aliases If the /etc/aliases file is not group owned by wheel, this is a finding.

Fix: F-32907r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /etc/aliases

Checks: C-37668r1_chk

Open a terminal session and enter the following command to view the /etc/aliases file extended ACLs. ls -lL /etc/aliases If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32908r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/aliases

Checks: C-37669r1_chk

Open a terminal session and enter the following command to view the /etc/syslog.conf file extended ACLs. ls -lL /etc/syslog.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32909r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/syslog.conf

Checks: C-38307r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/sshd_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher not starting with "3DES" or "AES", this is a finding.

Fix: F-33597r1_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" to remove any ciphers not starting with "3DES" or "AES".

Checks: C-38312r1_chk

Open a terminal session and enter the following command. grep ciphers /etc/sshd_config If no lines are returned, or the returned ciphers list contains any cipher ending with CBC, this is a finding.

Fix: F-33601r1_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" and remove any ciphers ending with "CBC". If necessary, add a Ciphers line.

Checks: C-38315r1_chk

Open a terminal session and enter the following command. grep -i macs /etc/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-33604r2_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" and remove any MACs other than "hmac-sha1". If there is no MACs line in "/etc/sshd_config", add "MACs hmac-sha1" to the file. Restart the SSH daemon for the changes to take effect.

Checks: C-38317r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher not starting with "3DES" or "AES", this is a finding.

Fix: F-33606r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers not starting with "3DES" or "AES".

Checks: C-38319r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher ending with "CBC", this is a finding.

Fix: F-33608r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers ending with "CBC".

Checks: C-38321r1_chk

Open a terminal session and enter the following command. grep -i macs /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-33611r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any MACs other than "hmac-sha1".

Checks: C-37670r1_chk

Open a terminal session and enter the following command to view the /etc/smb.conf file extended ACLs. ls -lL /etc/smb.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32910r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/smb.conf

Checks: C-37671r1_chk

Open a terminal session and enter the following command to verify the permissions are set to the original installation settings. diskutil verifyPermissions /

Fix: F-32911r1_fix

Open a terminal session and enter the following command to reset the permissions to the original installation settings. diskutil repairPermissions /

Checks: C-37512r1_chk

Open a terminal session and enter the following command to verify the permissions. ls -Ll /etc/openldap/ldap.conf If the permissions are not set to 644, this is a finding.

Fix: F-32760r1_fix

Open a terminal session and enter the following command to set permissions on the file. chmod 644 /etc/openldap/ldap.conf

Checks: C-37536r1_chk

Open a terminal session and enter the following command to verify the owner. ls -Ll /etc/openldap/ldap.conf If the owner is not set to root, this is a finding.

Fix: F-32782r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/openldap/ldap.conf

Checks: C-37537r1_chk

Open a terminal session and enter the following command to verify the group owner. ls -Ll /etc/openldap/ldap.conf If the file is not group-owned by wheel, this is a finding.

Fix: F-32783r1_fix

Open a terminal session and use the following command to set the group owner of the file. chgrp wheel /etc/openldap/ldap.conf

Checks: C-37538r1_chk

Open a terminal session and enter the following command to verify the /etc/openldap/ldap.conf has no extended ACLs. ls -lL /etc/openldap/ldap.conf If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32784r1_fix

Open a terminal session and enter the following command to remove the ACLs. chmod -RN /etc/openldap/ldap.conf

Checks: C-29318r1_chk

Determine if the system's local firewall implements a deny-all, allow-by-exception policy. If it does not, this is a finding.

Fix: F-26350r1_fix

Configure the system's local firewall to implement a deny-all, allow-by-exception policy.

Checks: C-37513r1_chk

Open a terminal session and enter the following command to verify group ownership of the files. ls -Ll /var/audit If any file is not group owned by wheel, this is a finding.

Fix: F-32761r1_fix

Open a terminal session and enter the following command to change group ownership of the file. chgrp wheel /var/audit/ <audit file>

Checks: C-37676r1_chk

Verify unnecessary packages are not installed. Open a terminal session and enter the following command. pkgutil / --pkgs Review the packages installed, determine if the installed packages are needed. If not, then this is a finding.

Fix: F-32916r1_fix

Review the packages installed using the following command. pkgutil / --pkgs Determine if the installed packages are needed. If not, verify any dependencies and use the rm command to remove them.

Checks: C-35869r1_chk

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Verify there are no easy to guess administrator account names. If any accounts have easy to guess names, this is a finding.

Fix: F-31124r1_fix

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Rename or recreate accounts with difficult-to-guess names.

Checks: C-35870r1_chk

Open a terminal session and use the following command to view the setting for maximum password age. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of "maxMinutesUntilChangePassword" is greater than 86400 or set to "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword If the value of "maxMinutesUntilChangePassword" is greater than 86400, this is a finding. NOTE: The value of "0" will disable this setting and must not be used.

Fix: F-34540r1_fix

Open a terminal session and use the following command to set the value for maxMinutesUntilChangePassword. sudo pwpolicy -n -setglobalpolicy "maxMinutesUntilChangePassword=86400" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=86400"

Checks: C-35877r1_chk

Open a terminal session and enter the following command to view the setting for minimum password length. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minChars If the value of minChars is less than 15, this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minChars If the value of minChars is less than 15, this is a finding.

Fix: F-31132r1_fix

Open a terminal session and use the following command to set the value for minimum password length. sudo pwpolicy -n -setglobalpolicy "minChars=15" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "minChars=15"

Checks: C-35881r1_chk

Open a terminal session and use the following command to view the setting for "password cannot be name". sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName If the value of "passwordCannotBeName" is not equal to "1", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName If the value of "passwordCannotBeName" is not equal to "1", this is a finding.

Fix: F-31136r1_fix

Open a terminal session and use the following command to set the value for "password cannot be name". sudo pwpolicy -n -setglobalpolicy "passwordCannotBeName=1" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "passwordCannotBeName=1"

Checks: C-35886r1_chk

Open a terminal session and use the following command to view the setting for Account lockout duration. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding.

Fix: F-31142r1_fix

Open a terminal session and use the following command to set the value for account lockout duration. sudo pwpolicy -n -setglobalpolicy "minutesUntilFailedLoginReset=0" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "minutesUntilFailedLoginReset=0"

Checks: C-35887r1_chk

Open a terminal session and use the following command to view the setting for account lockout threshold. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts If the value of "maxFailedLoginAttempts" is more than "3", or set to "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts If the value of "maxFailedLoginAttempts" is more than "3", or set to "0", this is a finding.

Fix: F-31143r1_fix

Open a terminal session and use the following command to set the value for account lockout threshold. sudo pwpolicy -n -setglobalpolicy "maxFailedLoginAttempts=3" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttempts=3"

Checks: C-35889r1_chk

Open a terminal session and enter the following command. sudo softwareupdate --list or sudo softwareupdate --list --all Review the result for proper versions and current patch level. GUI procedures: 1. Choose Apple (?) &gt; Software Update. 2. Select Scheduled Check &amp; Installed Updates. 3. Verify all current software updates are installed. If the current software updates are not installed, this is a finding. NOTE: This check does not show third party software or updates.

Fix: F-28170r2_fix

Install current software updates and patches. NOTE: Do not enable Automatic Updating as this will conflict with V-25298.

Checks: C-35890r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist. IO80211Family.kext If the file exists, this is a finding.

Fix: F-31145r1_fix

Open a terminal session and enter the following commands. srm -rf /System/Library/Extensions/IO80211Family.kext touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

Checks: C-35892r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following files do NOT exist. IOBluetoothFamily.kext IOBluetoothHIDDriver.kext If any file exists, this is a finding.

Fix: F-31148r1_fix

Open a terminal session and enter the following commands to remove the files. srm -rf /System/Library/Extensions/IOBluetoothFamily.kext srm -rf /System/Library/Extensions/IOBluetoothHIDDriver.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

Checks: C-37727r1_chk

Open a terminal session and view the /System/Library/Extensions/ folder if any of the following files exist, this is a finding. AppleUSBAudio.kext IOAudioFamily.kext

Fix: F-34553r1_fix

Open a terminal session and enter the following commands. srm -rf /System/Library/Extensions/AppleUSBAudio.kext srm -rf /System/Library/Extensions/IOAudioFamily.kext touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

Checks: C-35894r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist: Apple_iSight.kext. Control click the IOUSBFamily.kext and select Show Package Contents. Open the /Contents/PlugIns/ folder. Ensure the following file does NOT exist: AppleUSBVideoSupport.kext If any of the files exist, this is a finding.

Fix: F-31151r1_fix

Open a terminal session and enter the following commands to remove the files. sudo srm -rf /System/Library/Extensions/Apple_iSight.kext sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/Plugins/AppleUSBVideoSupport.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

Checks: C-35898r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist. AppleIRController.kext If the file exists, this is a finding.

Fix: F-31156r1_fix

Open a terminal session and enter the following commands to remove the file. srm -rf /System/Library/Extensions/AppleIRController.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

Checks: C-37753r2_chk

If the following DoD warning banner is not displayed at the top of the login panel before entering the user name and password, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." NOTE: Any OS versions that do not support the full text version must state the following: "I've read &amp; consent to terms in IS user agreem't." NOTE: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

Fix: F-32996r2_fix

Open a terminal session and enter the following command. sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Log off the system and verify the banner is displayed at the login screen.

Checks: C-37729r2_chk

Open a terminal session. The warning banner should be displayed in the terminal. If the following DoD warning banner is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: Any OS versions not supporting the full text version must state the following: "I've read and consent to terms in IS user agreem't". Note: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

Fix: F-32973r1_fix

1. Open a terminal session 2. Verify the /etc/motd file exists. If not, use the touch command to create the file. 3. Edit the file and enter the appropriate DoD warning banner information. 4. Save the file. 5. Open a new terminal session and verify the banner is displayed.

Checks: C-37730r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, this is a finding.

Fix: F-32974r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Connection tab and select "Encrypt using SSL".

Checks: C-37731r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, this is a finding.

Fix: F-32975r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and select "Use authentication when connecting".

Checks: C-35899r1_chk

Open a terminal session and enter the following command. ls -ld &lt;users home directory&gt; If permissions are not set to 700, this is a finding.

Fix: F-31157r1_fix

Open a terminal session and enter the following command. sudo chmod 700 <user’s home directory>

Checks: C-37733r1_chk

Open a terminal session and run the following command. sudo launchctl list Verify "com.apple.auditd" appears. If the file does not appear, this is a finding.

Fix: F-32977r1_fix

Open a terminal session and run the following command. sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

Checks: C-37734r1_chk

Open a terminal session and enter the following command view the audit flags. more /etc/security/audit_control file. Review the entries and ensure the line includes the following: flags: lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. If the file does not contain the appropriate flags, this is a finding.

Fix: F-32978r1_fix

Open a terminal session and edit the /etc/security/audit_control file. Find the line beginning with "flags". Replace that line with the following: flags:lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. Save the file.

Checks: C-37735r1_chk

Open a terminal session and enter the following command. more /etc/newsyslog.conf If the count values are not set to "14", this is a finding.

Fix: F-32979r1_fix

Open a terminal session and edit the following file and set the count value(s) to "14". /etc/newsyslog.conf

Checks: C-37736r1_chk

Open a terminal session and enter the following command. more /etc/syslog.conf Ensure the name or IP address of the site's log server is listed as "your.log.server". If the name or IP address of the log server is not listed, this is a finding.

Fix: F-32980r1_fix

Open a terminal session and enter the following command. sudo pico /etc/syslog.conf Add the following line to the top of the file, replacing "your.log.server" with the name or IP address of the log server, and keeping all other lines intact. *.* @your.log.server Exit, saving changes. Reboot the system.

Checks: C-37738r1_chk

Open a terminal session and enter the following command. more /etc/sshd_config Ensure the value "PermitRootLogin" is set to "No". If the value "PermitRootLogin" is not set to "No", this is a finding. NOTE: If the line starts with a # sign this is a comment and the command to disable root login would be invalid regardless of the value, this is a finding.

Fix: F-32982r1_fix

Open a terminal session and enter the following command. sudo pico /etc/sshd_config Edit the value "PermitRootLogin" and set it to "No". Save the file.

Checks: C-35900r1_chk

1. Open a terminal session and enter the following command. more /etc/sshd_config 2. Ensure the value Protocol is set to "2". If the value Protocol is not set to "2", this is a finding.

Fix: F-31158r1_fix

1. Open a terminal session and enter the following command. sudo pico /etc/sshd_config 2. Edit the value "Protocol" and set it to "2". 3. Save the file.

Checks: C-37740r1_chk

Open a terminal session and navigate to the /System/Library/PreferencePanes folder. Ensure the following file does NOT exist. MobileMe.prefPane If this file exists, this is a finding.

Fix: F-32984r1_fix

Open a terminal session and enter the following command to remove the file. sudo rm -R /System/Library/PreferencePanes/MobileMe.prefPane

Checks: C-37741r1_chk

Open a terminal session and enter the following command. defaults read com.apple.SoftwareUpdate CatalogURL The value returned is the current Software Update Server. Verify it is an approved SUS. If no value is returned, the system is using a default Apple Update Server and this is a finding. NOTE: If the system is not using an authorized DoD SUS server, it should point to a null address.

Fix: F-32985r1_fix

Open a terminal session and enter the following command. defaults write com.apple.SoftwareUpdate CatalogURL 'new_SUS_URL' (Where 'new_SUS_URL' is the URL or the address of the appropriate government SUS to be used.)

Checks: C-35905r1_chk

Open a terminal session and enter the following command. more /etc/authorization Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, this is a finding.

Fix: F-31163r1_fix

Open a terminal session and edit the following file. /etc/authorization Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. Save the file.

Checks: C-37687r1_chk

Open a terminal session and enter the following command. ls -la /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent Verify the file permissions are set to 755 or more restrictive. If not, this is a finding.

Fix: F-32930r1_fix

Open a terminal session and enter the following command. chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Checks: C-37698r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/ipcs Ensure the file permissions are set to 511. If the permission is not the same or more restrictive, this is a finding.

Fix: F-32939r1_fix

Open a terminal session and enter the following command. chmod 511 /usr/bin/ipcs

Checks: C-37699r1_chk

Open a terminal session and enter the following command. ls -ld /bin/rcp Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32940r1_fix

Open a terminal session and enter the following command. chmod 555 /bin/rcp

Checks: C-37700r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/rlogin Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32941r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/bin/rlogin

Checks: C-37701r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/rsh Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32942r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/bin/rsh

Checks: C-37702r1_chk

Open a terminal session and enter the following command. ls -ld /usr/lib/sa/sadc Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32943r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/lib/sa/sadc

Checks: C-37744r1_chk

Open a terminal session and enter the following command. softwareupdate --schedule Verify "Automatic check" is off. If the option is not off, this is a finding.

Fix: F-32988r1_fix

Open a terminal session and enter the following command to disable the auto update feature. softwareupdate --schedule off

Checks: C-35907r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow guests to login to this computer" option is unchecked. If the option is checked, this is a finding.

Fix: F-31165r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow guests to login to this computer".

Checks: C-35908r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow Guests to connect to shared folders" option is unchecked. If the option is checked, this is a finding.

Fix: F-31166r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow Guests to connect to shared folders".

Checks: C-35910r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Select Login Options. 3. Ensure "Display login window as:" is set to "Name &amp; password". If the option is not set to "Name &amp; Password", this is a finding.

Fix: F-31168r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Set "Display login window as:" to 'Name & password'.

Checks: C-35919r1_chk

Open System Preferences-&gt;Accounts Panel. Select Login Options. Ensure the "Show fast user switching menu as" is not checked. If the option is checked, this is a finding.

Fix: F-31176r1_fix

Open System Preferences->Accounts Panel. Select Login Options. Deselect "Show fast user switching menu as" to disable this option.

Checks: C-37746r1_chk

Open System Preferences-&gt;Desktop &amp; Screen Saver. Select the screen saver tab. Ensure the "Start screen saver" slider is set to 15 minutes or less. If not, this is a finding.

Fix: F-32990r1_fix

Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Set the "Start screen saver" slider to 15 minutes or less.

Checks: C-35934r1_chk

Open System Preferences-&gt;Exposé &amp; Spaces, Exposé pane. Ensure no corners are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account. If any account is set to disable screen savers via corners, this is a finding. NOTE: Do this for each user on the system.

Fix: F-31189r1_fix

Open System Preferences->Exposé & Spaces, Exposé pane. Remove any corners which are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account.

Checks: C-37748r1_chk

Open System Preferences -&gt; Bluetooth. Click Advanced. Ensure "Allow Bluetooth devices to wake this computer" is not checked. If the option is checked, this is a finding.

Fix: F-32992r1_fix

Open System Preferences -> Bluetooth. Click Advanced. Deselect "Allow Bluetooth devices to wake this computer".

Checks: C-35935r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select AirPort. Ensure the "Status" is set to "Off". If the service is not set to off or removed, this is a finding.

Fix: F-31191r1_fix

Open System Preferences - > Network. From the list of hardware devices, select AirPort. Set this service to "Off" by clicking the gear sign and selecting "Turn service off". Remove service if required by site requirements by clicking the minus sign.

Checks: C-37749r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select Bluetooth. Ensure the "Status" is set to "Inactive". If the service is not inactive or removed, this is a finding.

Fix: F-32993r1_fix

Open System Preferences - > Network. From the list of hardware devices, select Bluetooth. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose "Manually".)

Checks: C-37750r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select Firewire. Ensure the "Status" is set to "Inactive". If the service is not set to inactive or removed, this is a finding.

Fix: F-32994r1_fix

Open System Preferences - > Network. From the list of hardware devices, select Firewire. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose "Manually".)

Checks: C-35937r1_chk

Open System Preferences - &gt; Network. Click Advanced. Click the TCP/IP tab. Ensure "Configure IPv6" is set to "Off". If the option is not set to "Off", this is a finding. NOTE: This must be checked on all network interfaces.

Fix: F-31194r1_fix

Open System Preferences - > Network. Click Advanced. Click the TCP/IP tab and set "Configure IPv6" to "Off", if not actively being used. NOTE: This must be disabled on each network interface.

Checks: C-37755r1_chk

Open a terminal session and enter the following command. defaults -currentHost read com.apple.screensaver askForPassword -int If the action value is not set to "1", this is a finding.

Fix: F-32998r1_fix

Open a terminal session and enter the following command. defaults -currentHost write com.apple.screensaver askForPassword -int 1

Checks: C-35945r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Require password to unlock each System Preferences Pane" is checked. If option is not checked, this is a finding.

Fix: F-31201r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Require password to unlock each System Preferences Pane".

Checks: C-35955r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Use Secure Virtual Memory" is checked. If option is not checked, this is a finding.

Fix: F-31209r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Use Secure Virtual Memory".

Checks: C-37756r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Disable remote control infrared receiver" is checked. If the option is not checked, this is a finding.

Fix: F-32999r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable remote control infrared receiver".

Checks: C-37758r1_chk

Open System Preferences-&gt;Security. Select Firewall tab. Select Advanced (firewall should be started). Either "Block all incoming connections" should be checked or only essential services and applications should be allowed. If not, this is a finding.

Fix: F-33002r1_fix

Open System Preferences -> Security. Select Firewall tab. Select the Advanced button. Check "Block all incoming connections" or remove any non-essential services and applications.

Checks: C-35957r1_chk

Open a terminal session and enter the following command. sudo ipfw print If no line contains "deny icmp from any to me in icmptypes 8" or a more restrictive rule, this is a finding.

Fix: F-31212r1_fix

Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.freebsd.ipfw</string> <key>Program</key> <string>/sbin/ipfw</string> <key>ProgramArguments</key> <array> <string>/sbin/ipfw</string> <string>/etc/ipfw.conf</string> </array> <key>RunAtLoad</key> <true /> </dict> </plist> Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number). Add 20 deny icmp from any to me in icmptypes 8

Checks: C-35958r1_chk

Open System Preferences-&gt;Sharing. Ensure "DVD or CD Sharing" service does not have the "On" box checked. If the box is checked, this is a finding.

Fix: F-31214r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "DVD or CD Sharing" service.

Checks: C-35961r1_chk

Open System Preferences-&gt;Sharing. Ensure "Screen Sharing" service does not have the "On" box checked. If the box is checked, this is a finding.

Fix: F-31217r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Screen Sharing" service.

Checks: C-35966r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "File Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31222r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "File Sharing" service.

Checks: C-35969r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Printer Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31224r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Printer Sharing" service.

Checks: C-35973r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On'" box for "Web Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31228r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Web Sharing" service.

Checks: C-35976r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Remote Login" service is not checked. If the box is checked, this is a finding.

Fix: F-31230r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Login" service.

Checks: C-35982r1_chk

Open System Preferences-&gt;Sharing. Ensure the "On" box for "Remote Management" service is not checked. If the box is checked, this is a finding.

Fix: F-31236r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Remote Management" service.

Checks: C-35984r1_chk

Open System Preferences-&gt;Sharing. Ensure the "On" box for "Remote Apple Events" service is not checked. If the box is checked, this is a finding.

Fix: F-31238r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Remote Apple Events" service.

Checks: C-35989r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Xgrid Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31241r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Xgrid Sharing" service.

Checks: C-35990r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Internet Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31244r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Internet Sharing" service.

Checks: C-35994r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Bluetooth Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31247r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Bluetooth Sharing" service.

Checks: C-37761r1_chk

NOTE: If you are not using the Mac Mail Application, this check does not apply. Choose Mail &gt; Preferences, and then click Accounts. Select an account, and then click Advanced. Ensure "Use SSL" is selected. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). If not, this is a finding. Click Account Information. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. From the server list, select the outgoing mail server, and then click Advanced. Ensure Secure Socket Layer (SSL) is selected. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). If not, this is a finding.

Fix: F-33005r1_fix

Choose Mail > Preferences, Click Accounts. Select an account, Click Advanced. Select "Use SSL". From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). Click Account Information. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. From the server list, select your outgoing mail server and then click Advanced. Select "Secure Socket Layer (SSL)". From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). Close the preferences window, and then click "Save" in the message that appears.

Checks: C-36002r1_chk

1. Open Finder &gt; Preferences &gt; Sidebar. 2. Ensure the iDisk icon is not selected. If the option is selected, this is a finding. This must be done for each user on the system.

Fix: F-31254r1_fix

1. Open Finder -> Preferences -> Sidebar. 2. De-select the iDisk icon. This must be done for each user on the system.

Checks: C-37772r1_chk

Interview the SA to determine if equipment is located in a controlled access area.

Fix: F-33018r1_fix

Relocate equipment to a controlled access area.

Checks: C-36006r1_chk

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account (which provides no individual identification and accountability) is mitigated. NOTE: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if the machine is stand-alone and has no access to the network.

Fix: F-31258r1_fix

Remove any shared accounts not meeting the exception requirements listed.

Checks: C-37763r1_chk

Open a terminal session and enter one of the following commands. sudo softwareupdate --list OR sudo softwareupdate --list --all Review the results and verify the system is at the current release level. If not, this is a finding.

Fix: F-33007r1_fix

Install the current OS updates and patches.

Checks: C-36014r1_chk

Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location.

Fix: F-28299r2_fix

Create and maintain an emergency administrator account for emergency situations.

Checks: C-36017r1_chk

Interview the SA or IAM to determine if the site has a policy requiring the default and backup administrator passwords to be changed at least annually or when any member of the administrative team leaves the organization.

Fix: F-31266r1_fix

Define a policy for required password changes for the default and backup administrator account.

Checks: C-36020r1_chk

The site should have a local policy ensuring passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.

Fix: F-31269r1_fix

Create application/service account passwords at least 15 characters in length and meet complexity requirements. Change of application/service account passwords are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.

Checks: C-37765r1_chk

Open System Preferences. Click the Security Icon. Click the General Tab. Ensure "Activate screen saver when login token is removed" option is selected. If the option is not selected, this is a finding. NOTE: If you are not using a smart card application, this check does not apply. NOTE: This configuration option is still available if a smart card application is not installed.

Fix: F-33010r1_fix