Apple OS X 10.8 (Mountain Lion) Workstation STIG

The Apple OS X 10.8 (Mountain Lion) Workstation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2015-02-10

Updated At: 2018-09-23 02:01:22

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-65405r1_rule OSX8-00-00110 CCI-000016 MEDIUM The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account. When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as
    SV-65441r1_rule OSX8-00-00930 CCI-000366 MEDIUM The login window must be configured to prompt for username and password, rather than show a list of users. The login window must be configured to prompt for username and password, rather than show a list of users.
    SV-65443r1_rule OSX8-00-00935 CCI-000366 MEDIUM The ability for administrative accounts to unlock Screen Saver must be disabled. The ability for administrative accounts to unlock Screen Saver must be disabled.
    SV-65445r1_rule OSX8-00-00980 CCI-000366 MEDIUM All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed. All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed.
    SV-65447r1_rule OSX8-00-00985 CCI-000366 MEDIUM User home directories must not have extended ACLs. User home directories must not have extended ACLs.
    SV-65449r1_rule OSX8-00-00990 CCI-000366 MEDIUM Device files and directories must only be writable by users with a system account or as configured by the vendor. Device files and directories must only be writable by users with a system account or as configured by the vendor.
    SV-65451r1_rule OSX8-00-00995 CCI-000366 HIGH The sudoers file must be configured to authenticate users on a per-tty basis. Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits authorization to the termina
    SV-65453r1_rule OSX8-00-01000 CCI-000366 HIGH The sudoers file must be configured to require authentication on every use. Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits the use of the sudo command
    SV-65455r1_rule OSX8-00-01005 CCI-000366 MEDIUM All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member. All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is n
    SV-65457r1_rule OSX8-00-01010 CCI-000366 MEDIUM All files and directories contained in interactive user home directories must be owned by the home directorys owner. All files and directories contained in interactive user home directories must be owned by the home directory's owner.
    SV-65459r1_rule OSX8-00-01015 CCI-000366 MEDIUM The default global umask setting must be changed for user applications. The default global umask setting must be changed for user applications.
    SV-65461r1_rule OSX8-00-01020 CCI-000366 MEDIUM The default global umask setting must be changed for system processes. The default global umask setting must be configured correctly for system processes.
    SV-65463r1_rule OSX8-00-01025 CCI-000366 MEDIUM Local logging must be enabled. Local logging must be enabled.
    SV-65465r1_rule OSX8-00-01030 CCI-000366 MEDIUM Newsyslog must be correctly configured to rotate log files. Newsyslog needs to be correctly configured to rotate log files.
    SV-65467r1_rule OSX8-00-01035 CCI-000366 MEDIUM Administrator accounts must be created with difficult-to-guess names. Administrator accounts must be created with difficult-to-guess names.
    SV-65469r1_rule OSX8-00-01040 CCI-000366 MEDIUM The system must not use .forward files. The system must not use .forward files.
    SV-65471r1_rule OSX8-00-01045 CCI-000366 MEDIUM Active Directory Access must be securely configured to sign all packets. Active Directory Access must be securely configured to sign all packets.
    SV-65473r1_rule OSX8-00-01050 CCI-000366 MEDIUM Active Directory Access must be securely configured to encrypt all packets. Active Directory Access must be securely configured to encrypt all packets.
    SV-65475r1_rule OSX8-00-01055 CCI-000366 LOW iTunes Store must be disabled. iTunes Store must be disabled.
    SV-65477r1_rule OSX8-00-01060 CCI-000366 MEDIUM An Emergency Administrator Account must be created. An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location. This emergency account should have a UID less than "500", and be hidden f
    SV-65479r1_rule OSX8-00-01065 CCI-000366 MEDIUM The root account must be the only account having a UID of 0. The root account must be the only account having a UID of "0".
    SV-65481r1_rule OSX8-00-01075 CCI-000366 LOW Finder must be set to always empty Trash securely. Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.
    SV-65483r1_rule OSX8-00-01080 CCI-000366 MEDIUM The application firewall must be enabled. The application firewall must be enabled.
    SV-65485r1_rule OSX8-00-01090 CCI-000366 MEDIUM The system must not be allowed to restart after a power failure. The system must not be allowed to restart after a power failure.
    SV-65487r1_rule OSX8-00-01100 CCI-000366 MEDIUM Fast User Switching must be disabled. Fast User Switching must be disabled.
    SV-65489r1_rule OSX8-00-01105 CCI-000366 MEDIUM Kernel core dumps must be disabled unless needed. Kernel core dumps must be disabled unless needed.
    SV-65491r1_rule OSX8-00-01110 CCI-000366 MEDIUM All public directories must be owned by root or an application account. All public directories must be owned by root or an application account.
    SV-65493r1_rule OSX8-00-01115 CCI-000366 MEDIUM The system must not have the finger service active. The system must not have the finger service active.
    SV-65495r2_rule OSX8-00-01120 CCI-000366 MEDIUM The sticky bit must be set on all public directories. The sticky bit must be set on all public directories.
    SV-65497r1_rule OSX8-00-01125 CCI-000366 MEDIUM The prompt for Apple ID and iCloud must be disabled. The prompt for Apple ID and iCloud must be disabled.
    SV-65499r1_rule OSX8-00-01130 CCI-000366 MEDIUM Users must not have Apple IDs signed into iCloud. Users should not have Apple ID's signed into iCloud.
    SV-65501r1_rule OSX8-00-01135 CCI-000366 LOW Spotlight Panel must be securely configured. Spotlight Panel must be securely configured.
    SV-65503r1_rule OSX8-00-01140 CCI-000366 LOW iTunes Music Sharing must be disabled. iTunes Music Sharing must be disabled.
    SV-65505r1_rule OSX8-00-01145 CCI-000366 MEDIUM All setuid executables on the system must be vendor-supplied. All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs
    SV-65507r1_rule OSX8-00-01150 CCI-000366 LOW iTunes Radio must be disabled. iTunes Radio must be disabled.
    SV-65509r1_rule OSX8-00-01155 CCI-000366 LOW iTunes Podcasts must be disabled. iTunes Podcasts must be disabled.
    SV-65511r1_rule OSX8-00-01165 CCI-000366 MEDIUM Unnecessary packages must not be installed. Unnecessary packages must not be installed.
    SV-65513r1_rule OSX8-00-01175 CCI-000366 MEDIUM The centralized process core dump data directory must be owned by root. The centralized process core dump data directory must be owned by root.
    SV-65515r1_rule OSX8-00-01180 CCI-000366 MEDIUM The centralized process core dump data directory must have mode 0750 or less permissive. The centralized process core dump data directory must have mode "0750' or less permissive.
    SV-65517r1_rule OSX8-00-01185 CCI-000366 MEDIUM The centralized process core dump data directory must be group-owned by admin. The centralized process core dump data directory must be group-owned by admin.
    SV-65519r1_rule OSX8-00-01190 CCI-000366 MEDIUM The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address. The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
    SV-65521r1_rule OSX8-00-01195 CCI-000366 MEDIUM The system must not accept source-routed IPv4 packets. The system must not accept source-routed IPv4 packets.
    SV-65523r1_rule OSX8-00-01200 CCI-000366 MEDIUM The system must ignore IPv4 ICMP redirect messages. The system must ignore IPv4 ICMP redirect messages.
    SV-65525r1_rule OSX8-00-01205 CCI-000366 MEDIUM IP forwarding for IPv4 must not be enabled, unless the system is a router. IP forwarding for IPv4 must not be enabled, unless the system is a router.
    SV-65527r1_rule OSX8-00-01210 CCI-000366 MEDIUM The system must not send IPv4 ICMP redirects by default. The system must not send IPv4 ICMP redirects by default.
    SV-65529r1_rule OSX8-00-01215 CCI-000366 MEDIUM The system must prevent local applications from generating source-routed packets. The system must prevent local applications from generating source-routed packets.
    SV-65531r1_rule OSX8-00-01220 CCI-000366 MEDIUM The system must not process Internet Control Message Protocol [ICMP] timestamp requests. The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
    SV-65533r1_rule OSX8-00-01225 CCI-000366 MEDIUM Audio recording support software must be disabled. Audio recording support software must be disabled.
    SV-65535r1_rule OSX8-00-01235 CCI-000366 MEDIUM Unused network devices must be disabled. Unused network devices must be disabled.
    SV-65537r1_rule OSX8-00-01245 CCI-000366 MEDIUM Stealth Mode must be enabled on the firewall. Stealth Mode must be enabled on the firewall.
    SV-65539r1_rule OSX8-00-01260 CCI-000366 MEDIUM Secure virtual memory must be used. Secure virtual memory must be used.
    SV-65541r1_rule OSX8-00-01265 CCI-000366 MEDIUM The Operating System must be current and at the latest release level. The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.
    SV-65543r1_rule OSX8-00-00618 CCI-000185 MEDIUM The CRLStyle option must be set correctly. A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path
    SV-65549r1_rule OSX8-00-00795 CCI-001100 MEDIUM A host-based firewall must be installed. Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation on the public internet.
    SV-65551r1_rule OSX8-00-01240 CCI-001100 MEDIUM System Preferences must be securely configured so IPv6 is turned off if not being used. System Preferences must be securely configured so IPv6 is turned off if not being used.
    SV-65553r1_rule OSX8-00-00810 CCI-001112 MEDIUM DoD proxies must be configured on all active network interfaces. A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the me
    SV-65557r1_rule OSX8-00-00715 CCI-001133 MEDIUM The SSH daemon ClientAliveInterval option must be set correctly. This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivi
    SV-65561r1_rule OSX8-00-00720 CCI-001133 MEDIUM The SSH daemon ClientAliveCountMax option must be set correctly. This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivi
    SV-65563r1_rule OSX8-00-00945 CCI-001133 LOW The SSH daemon LoginGraceTime must be set correctly. LoginGraceTime must be securely configured in /etc/sshd_config.
    SV-65565r1_rule OSX8-00-00725 CCI-001144 HIGH The FIPS administrative and cryptographic modules must be installed correctly. Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
    SV-65569r1_rule OSX8-00-01251 CCI-001150 MEDIUM Video recording support software must be disabled. Video recording support software must be disabled.
    SV-65575r1_rule OSX8-00-00750 CCI-001159 MEDIUM The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification A
    SV-65577r1_rule OSX8-00-00755 CCI-001166 MEDIUM The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code. Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Posts
    SV-65581r1_rule OSX8-00-00780 CCI-001199 MEDIUM The operating system must protect the confidentiality and integrity of information at rest. This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary
    SV-65583r1_rule OSX8-00-00835 CCI-001233 MEDIUM The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation. Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with
    SV-65587r1_rule OSX8-00-00840 CCI-001237 MEDIUM The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components. The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response acti
    SV-65591r1_rule OSX8-00-00815 CCI-001314 MEDIUM System log files must be owned by root:wheel. If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.
    SV-65595r1_rule OSX8-00-00820 CCI-001314 MEDIUM System log files must have the correct permissions. System log files should have the correct permissions.
    SV-65597r1_rule OSX8-00-00825 CCI-001314 MEDIUM System log files must not contain ACLs. System log files should not contain ACLs.
    SV-65599r1_rule OSX8-00-00875 CCI-001274 MEDIUM The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Automated alarming mechanisms provide the appr
    SV-65603r1_rule OSX8-00-00395 CCI-001348 MEDIUM The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited. Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the
    SV-65605r1_rule OSX8-00-00195 CCI-001384 MEDIUM The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access. Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information s
    SV-65607r1_rule OSX8-00-00445 CCI-000370 MEDIUM The operating system must employ automated mechanisms to centrally manage configuration settings. Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including param
    SV-65609r1_rule OSX8-00-00785 CCI-001200 MEDIUM The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary
    SV-65611r1_rule OSX8-00-00055 CCI-000066 MEDIUM The operating system must enforce requirements for remote connections to the information system. The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.
    SV-65613r1_rule OSX8-00-01170 CCI-000066 MEDIUM The operating system must enforce requirements for remote connections to the information system. Screen Sharing must be disabled.
    SV-65615r1_rule OSX8-00-00125 CCI-001403 MEDIUM The operating system must automatically audit account modification. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is
    SV-65617r1_rule OSX8-00-00130 CCI-001404 MEDIUM The operating system must automatically audit account disabling actions. When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events affecting user accessibility and operating sys
    SV-65619r1_rule OSX8-00-00135 CCI-001405 MEDIUM The operating system must automatically audit account termination. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The operating system must audit and notify, as required, to mitigate t
    SV-65621r1_rule OSX8-00-00155 CCI-001414 MEDIUM The system firewall must be configured with a default-deny policy. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the infor
    SV-65623r1_rule OSX8-00-01270 CCI-001414 MEDIUM Internet Sharing must be disabled. Internet Sharing must be disabled.
    SV-65625r1_rule OSX8-00-01275 CCI-001414 MEDIUM Web Sharing must be disabled. Web Sharing must be disabled.
    SV-65627r1_rule OSX8-00-00050 CCI-001436 HIGH The rsh service must be disabled. Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other e
    SV-65629r1_rule OSX8-00-01325 CCI-001452 MEDIUM The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-65631r1_rule OSX8-00-00040 CCI-001453 MEDIUM The operating system must use cryptography to protect the integrity of remote access sessions. Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. If cryptography is not used to protect these sessions, then the session data t
    SV-65635r1_rule OSX8-00-00045 CCI-001454 MEDIUM The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. Remote access to security functions (e.g., user management, audit log manageme
    SV-65637r1_rule OSX8-00-00380 CCI-001493 MEDIUM The operating system must protect audit tools from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage applicatio
    SV-65639r1_rule OSX8-00-00385 CCI-001494 MEDIUM The operating system must protect audit tools from unauthorized modification. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage applicatio
    SV-65641r1_rule OSX8-00-00390 CCI-001495 MEDIUM The operating system must protect audit tools from unauthorized deletion. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage applicatio
    SV-65643r1_rule OSX8-00-00435 CCI-001499 MEDIUM The operating system must limit privileges to change software resident within software libraries (including privileged programs). When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Only qualified and
    SV-65645r1_rule OSX8-00-00760 CCI-001662 MEDIUM The operating system must take corrective actions, when unauthorized mobile code is identified. Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Posts
    SV-65647r1_rule OSX8-00-00120 CCI-000018 MEDIUM The operating system must support the requirement to automatically audit on account creation. Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process will ensure an audit trail which documents the creation of
    SV-65649r1_rule OSX8-00-00065 CCI-000086 LOW The Bluetooth protocol driver must be removed. Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can be accessed. The organization will define the requirements
    SV-65651r1_rule OSX8-00-00070 CCI-000086 MEDIUM Wi-Fi support software must be disabled. Wi-Fi support software must be disabled.
    SV-65653r1_rule OSX8-00-00170 CCI-000040 MEDIUM The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. The auditing system must be configured to audit authentication and authorization events.
    SV-65655r1_rule OSX8-00-00955 CCI-000086 MEDIUM Bluetooth devices must not be allowed to wake the computer. Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer.
    SV-65657r1_rule OSX8-00-00965 CCI-000086 MEDIUM Bluetooth Sharing must be disabled. Bluetooth Sharing must be disabled.
    SV-65659r1_rule OSX8-00-00185 CCI-000048 LOW The operating system must display the DoD-approved system use notification message or banner before granting access to the system. The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far as auditing and monitoring are concerned.
    SV-65661r1_rule OSX8-00-00400 CCI-001496 MEDIUM The auditing tool, praudit, must be the one provided by Apple, Inc. Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessme
    SV-65663r1_rule OSX8-00-00940 CCI-000048 MEDIUM The input menu must not be shown in the login window. Input menu must not be shown in login window.
    SV-65665r1_rule OSX8-00-00405 CCI-001496 MEDIUM The auditing tool, auditreduce, must be the one provided by Apple, Inc. The auditing tool, auditreduce, should be the one provided by Apple, Inc.
    SV-65667r1_rule OSX8-00-00410 CCI-001496 MEDIUM The auditing tool, audit, must be the one provided by Apple, Inc. The auditing tool, audit, should be the one provided by Apple, Inc.
    SV-65669r1_rule OSX8-00-00200 CCI-000052 MEDIUM The operating system, upon successful logon, must display to the user the date and time of the last logon (access). Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an o
    SV-65671r1_rule OSX8-00-00415 CCI-001496 MEDIUM The auditing tool, auditd, must be the one provided by Apple, Inc. The auditing tool, auditd, should be the one provided by Apple, Inc.
    SV-65673r1_rule OSX8-00-00915 CCI-000366 MEDIUM Shared User Accounts must be disabled. Shared User Accounts must be disabled.
    SV-65675r1_rule OSX8-00-00020 CCI-000056 MEDIUM The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Once invoked, the session lock shall remain
    SV-65677r1_rule OSX8-00-00920 CCI-000366 MEDIUM A password must be required to unlock each System Preference Pane. A password must be required to access locked System Preferences.
    SV-65679r1_rule OSX8-00-01085 CCI-000056 LOW Automatic logout due to inactivity must be disabled. Automatic logout due to inactivity must be disabled.
    SV-65681r1_rule OSX8-00-00925 CCI-000366 MEDIUM Automatic login must be disabled. Automatic login must be disabled.
    SV-65683r1_rule OSX8-00-00010 CCI-000057 MEDIUM The operating system must initiate a session lock after the organization-defined time period of inactivity. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The organization defines the period of ina
    SV-65685r1_rule OSX8-00-01095 CCI-000057 MEDIUM The ability to use corners to disable the screen saver must be disabled. The ability to use corners to disable the screen saver must be disabled.
    SV-65687r1_rule OSX8-00-00005 CCI-000060 LOW The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfu
    SV-65689r1_rule OSX8-00-00030 CCI-000067 MEDIUM The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Remote access is any access to an organizational information system by a user (or an information system) communicating through an
    SV-65691r1_rule OSX8-00-00035 CCI-000068 HIGH The rexec service must be disabled. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any access to an organizational information system by a us
    SV-65693r1_rule OSX8-00-00060 CCI-000085 MEDIUM The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellula
    SV-65695r1_rule OSX8-00-00085 CCI-000087 MEDIUM Automatic actions must be disabled for blank CDs. Automatic actions must be disabled for blank CDs.
    SV-65697r1_rule OSX8-00-00090 CCI-000087 MEDIUM Automatic actions must be disabled for blank DVDs. Automatic actions must be disabled for blank DVDs.
    SV-65699r1_rule OSX8-00-00095 CCI-000087 MEDIUM Automatic actions must be disabled for music CDs. Automatic actions must be disabled for music CDs.
    SV-65701r1_rule OSX8-00-00105 CCI-000087 MEDIUM Automatic actions must be disabled for video DVDs. Automatic actions must be disabled for video DVDs.
    SV-65703r1_rule OSX8-00-00295 CCI-000137 MEDIUM The operating system must allocate audit record storage capacity. Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event
    SV-65705r1_rule OSX8-00-00300 CCI-000138 MEDIUM The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event
    SV-65707r1_rule OSX8-00-01355 CCI-000140 MEDIUM The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit
    SV-65709r1_rule OSX8-00-00305 CCI-000143 MEDIUM The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capaci
    SV-65711r1_rule OSX8-00-00310 CCI-000144 MEDIUM The operating system must provide a real-time alert when organization-defined audit failure events occur. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capaci
    SV-65717r1_rule OSX8-00-00700 CCI-001019 MEDIUM The operating system must employ cryptographic mechanisms to protect information in storage. When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk gui
    SV-65719r1_rule OSX8-00-00690 CCI-000888 MEDIUM The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the integrity and confidentiality of non-loca
    SV-65721r1_rule OSX8-00-00695 CCI-000877 MEDIUM The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems includes the ability to ac
    SV-65725r1_rule OSX8-00-00115 CCI-001682 MEDIUM The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account. When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as
    SV-65729r1_rule OSX8-00-00575 CCI-000776 MEDIUM The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_
    SV-65733r1_rule OSX8-00-00570 CCI-000774 MEDIUM The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_
    SV-65737r1_rule OSX8-00-01230 CCI-000770 MEDIUM The root account must be disabled for interactive use. The root account must be disabled for interactive use.
    SV-65739r1_rule OSX8-00-00565 CCI-000770 MEDIUM The SSH PermitRootLogin option must be set correctly. To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all ac
    SV-65741r1_rule OSX8-00-00711 CCI-000663 MEDIUM End users must not be able to override Gatekeeper settings. Gatekeeper settings must be configured correctly.
    SV-65745r1_rule OSX8-00-00710 CCI-000663 MEDIUM The system must allow only applications downloaded from the App Store to run. Gatekeeper settings must be configured correctly.
    SV-65747r1_rule OSX8-00-00705 CCI-000663 MEDIUM A configuration profile must exist to restrict launching of applications. The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose
    SV-65749r1_rule OSX8-00-00560 CCI-000537 LOW The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives. Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizatio
    SV-65751r1_rule OSX8-00-00555 CCI-000535 LOW The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recov
    SV-65753r1_rule OSX8-00-02050 CCI-000382 LOW Airdrop must be disabled. Airdrop must be disabled.
    SV-65757r1_rule OSX8-00-00550 CCI-000382 MEDIUM The system must not have the UUCP service active. The system must not have the UUCP service active.
    SV-65759r1_rule OSX8-00-00545 CCI-000382 MEDIUM Bonjour multicast advertising must be disabled on the system. Bonjour multicast advertising must be disabled on the system.
    SV-65761r1_rule OSX8-00-00535 CCI-000382 MEDIUM Location Services must be disabled. Location Services must be disabled.
    SV-65763r1_rule OSX8-00-00532 CCI-000382 MEDIUM Find My Mac messenger must be disabled. Find My Mac messenger must be disabled.
    SV-65765r1_rule OSX8-00-00531 CCI-000382 MEDIUM Find My Mac must be disabled. Find My Mac must be disabled.
    SV-65767r1_rule OSX8-00-00530 CCI-000382 MEDIUM Sending diagnostic and usage data to Apple must be disabled. Sending diagnostic and usage data to Apple must be disabled.
    SV-65769r1_rule OSX8-00-00975 CCI-000381 MEDIUM Remote Apple Events must be disabled. Remote Apple Events must be disabled.
    SV-65771r1_rule OSX8-00-00520 CCI-000381 MEDIUM The system preference panel iCloud must be removed. The system preference panel iCloud must be removed.
    SV-65775r1_rule OSX8-00-00515 CCI-000381 LOW The application Mail must be removed. The application Mail must be removed.
    SV-65777r1_rule OSX8-00-00510 CCI-000381 LOW The application Contacts must be removed. The application Contacts must be removed.
    SV-65779r1_rule OSX8-00-00505 CCI-000381 LOW The application Calendar must be removed. The application Calendar must be removed.
    SV-65781r1_rule OSX8-00-00500 CCI-000381 MEDIUM The application App Store must be removed. The application App Store must be removed.
    SV-65785r1_rule OSX8-00-00495 CCI-000381 LOW The application image capture must be removed. The application Image Capture must be removed.
    SV-65789r1_rule OSX8-00-00490 CCI-000381 MEDIUM The application Messages must be removed. The application Messages must be removed.
    SV-65791r1_rule OSX8-00-00485 CCI-000381 LOW The application iTunes must be removed. The application iTunes must be removed.
    SV-65793r1_rule OSX8-00-00481 CCI-000381 LOW The application Game Center must be disabled. The application Game Center must be disabled.
    SV-65803r1_rule OSX8-00-00480 CCI-000381 LOW The application Game Center must be removed. The application Game Center must be removed.
    SV-65805r1_rule OSX8-00-00475 CCI-000381 LOW The application FaceTime must be removed. The application FaceTime must be removed.
    SV-65807r1_rule OSX8-00-00470 CCI-000381 LOW The application Chess must be removed. The application Chess must be removed.
    SV-65811r1_rule OSX8-00-00465 CCI-000381 LOW The application PhotoBooth must be removed. The application Photo Booth must be removed.
    SV-65813r1_rule OSX8-00-00460 CCI-000381 MEDIUM Application Restrictions must be enabled. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions) and will redu
    SV-65815r1_rule OSX8-00-00144 CCI-000381 MEDIUM The racoon daemon must be disabled. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict
    SV-65819r1_rule OSX8-00-00143 CCI-000381 MEDIUM The NFS stat daemon must be disabled. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict
    SV-65829r1_rule OSX8-00-00142 CCI-000381 MEDIUM The NFS lock daemon must be disabled. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict
    SV-65831r1_rule OSX8-00-00325 CCI-000160 LOW The system must be configured to set the time automatically from a network time server. The system must be configured to set the time automatically from a network time server.
    SV-65833r1_rule OSX8-00-00330 CCI-000160 MEDIUM The network time server must be an authorized DoD time source. The system must be configured to set the time automatically from a network time server. The network time server must be an authorized DoD time source.
    SV-65835r1_rule OSX8-00-00335 CCI-000162 MEDIUM Audit Log files must have the correct permissions. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit Log files should have the correct permissions. To ensure
    SV-65837r1_rule OSX8-00-00340 CCI-000162 MEDIUM Audit log files must be owned by root:wheel. Audit log files should be owned by root:wheel.
    SV-65839r1_rule OSX8-00-00141 CCI-000381 MEDIUM The NFS daemon must be disabled. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict
    SV-65841r1_rule OSX8-00-00345 CCI-000162 MEDIUM Audit log files must not contain ACLs. Audit log files should not contain ACLs.
    SV-65843r1_rule OSX8-00-00140 CCI-000381 MEDIUM Apple File Sharing must be disabled. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict
    SV-65845r1_rule OSX8-00-00350 CCI-000163 MEDIUM Audit Log files must have the correct permissions. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit i
    SV-65849r1_rule OSX8-00-00455 CCI-000372 MEDIUM The operating system must employ automated mechanisms to centrally verify configuration settings. Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including param
    SV-65851r1_rule OSX8-00-00355 CCI-000163 MEDIUM Audit log files must be owned by root:wheel. Audit log files should be owned by root:wheel.
    SV-65853r1_rule OSX8-00-00365 CCI-000164 MEDIUM The audit log folder must be owned by root:wheel. If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit in
    SV-65855r1_rule OSX8-00-00450 CCI-000371 MEDIUM Configuration profiles must be applied to the system. Configuration settings are the configurable security-related parameters of the operating system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control
    SV-65857r1_rule OSX8-00-00370 CCI-000164 MEDIUM The audit log folder must have the correct permissions. The audit log folder should have correct permissions.
    SV-65861r1_rule OSX8-00-00375 CCI-000164 MEDIUM The audit log folder must not have ACLs. The audit log folder should not have ACLs.
    SV-65863r1_rule OSX8-00-00205 CCI-000166 MEDIUM The audit log folder must have correct permissions. Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file,
    SV-65865r1_rule OSX8-00-00430 CCI-000352 HIGH The Security assessment policy subsystem must be enabled. Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical
    SV-65867r1_rule OSX8-00-00210 CCI-000166 MEDIUM The audit log folder must be owned by root:wheel. Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file,
    SV-65869r1_rule OSX8-00-00215 CCI-000166 MEDIUM The audit log folder must be owned by root:wheel. Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file,
    SV-65873r1_rule OSX8-00-00630 CCI-000366 MEDIUM The password-related hint field must not be used. The password-related hint field must not be used.
    SV-65875r1_rule OSX8-00-00220 CCI-000166 MEDIUM The audit log folder must have correct permissions. Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file,
    SV-65877r1_rule OSX8-00-00225 CCI-000166 MEDIUM The audit log files must not contain ACLs. The audit log files should not contain ACLs.
    SV-65881r1_rule OSX8-00-00240 CCI-000169 MEDIUM The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, time
    SV-65883r1_rule OSX8-00-00245 CCI-000172 MEDIUM The flags option must be set in /etc/security/audit_control. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).
    SV-65885r1_rule OSX8-00-00590 CCI-000205 MEDIUM The operating system must enforce minimum password length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The sho
    SV-65887r1_rule OSX8-00-00950 CCI-000172 MEDIUM The OS X firewall must have logging enabled. Firewall logging must be enabled. This requirement is NA if HBSS is used.
    SV-65889r1_rule OSX8-00-00230 CCI-000174 MEDIUM The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all ev
    SV-65891r1_rule OSX8-00-00615 CCI-000185 MEDIUM The OCSPStyle option must be set correctly. A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path
    SV-65893r1_rule OSX8-00-00616 CCI-000185 MEDIUM The OCSPSufficientPerCert option must be set correctly. A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path
    SV-65895r1_rule OSX8-00-00617 CCI-000185 MEDIUM The RevocationFirst option must be set correctly. A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path
    SV-65897r1_rule OSX8-00-00605 CCI-000197 HIGH The telnet service must be disabled. Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.
    SV-65899r1_rule OSX8-00-00600 CCI-000196 MEDIUM There must be no .netrc files on the system. Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. There must be no ".netrc" files on the system.
    SV-65901r1_rule OSX8-00-00619 CCI-000185 MEDIUM The CRLSufficientPerCert option must be set correctly. A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path
    SV-65995r1_rule OSX8-00-01465 CCI-001069 MEDIUM The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
    SV-66059r1_rule OSX8-00-00100 CCI-000087 MEDIUM Automatic actions must be disabled for picture CDs. Automatic actions must be disabled for picture CDs.
    SV-66061r1_rule OSX8-00-00080 CCI-000086 MEDIUM Bluetooth support software must be disabled. Bluetooth support software must be disabled.
    SV-66145r1_rule OSX8-00-00075 CCI-000086 MEDIUM Infrared [IR] support must be removed. Infrared [IR] support must be removed.
    SV-68075r1_rule OSX8-00-00845 CCI-000366 MEDIUM The FireWire protocol driver must be removed or disabled. Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must
    SV-68077r1_rule OSX8-00-00850 CCI-000366 MEDIUM The USB mass storage driver must be removed or disabled. Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must
    SV-68079r1_rule OSX8-00-00855 CCI-000366 MEDIUM The Apple Storage Drivers must be removed or disabled. Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must
    SV-68081r1_rule OSX8-00-00860 CCI-000366 MEDIUM The iPod Driver must be removed. Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must
    SV-68083r1_rule OSX8-00-02055 CCI-000366 MEDIUM All users must use PKI authentication for login and privileged access. Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emerg
    SV-68085r1_rule OSX8-00-02060 CCI-000366 MEDIUM The system must be integrated into a directory services infrastructure. Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active Directory, allow centralized management of users and passwords.
    SV-68087r1_rule OSX8-00-00862 CCI-000366 MEDIUM The usbmuxd daemon must be disabled. Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices.