Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
To view the currently selected screen saver for the logged in user, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep moduleName If there is no result or defined "moduleName", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep idleTime The check should return a value of "900" or less for idleTime. If not, this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the system will prompt users to enter their passwords to unlock the screensaver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPassword If there is no result, or if "askForPassword" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check to make sure the audit daemon is configured to log all logon events, both local and remote, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control The flag "lo" should be included in the list of flags set. If it is not, this is a finding.
To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the /etc/security/audit_control file.
The Network Time Protocol ("NTP") service must be enabled on all networked systems. To check if the service is running, use the following command: /usr/bin/sudo /bin/launchctl list | grep org.ntp.ntpd If nothing is returned, this is a finding. To ensure that an authorized NTP server is configured, run the following command or examine /etc/ntp.conf: /usr/bin/sudo /usr/bin/grep ^server /etc/ntp.conf Only approved time servers should be configured for use. If no server is configured, or if an unapproved time server is in use, this is a finding.
To enable the "NTP" service, run the following command: /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/org.ntp.ntpd.plist To configure one or more time servers for use, edit /etc/ntp.conf and enter each hostname or ip address on a separate line, prefixing each one with the keyword "server".
To check the ownership of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | grep -v current The results should show the owner (third column) to be "root". If not, this is a finding.
For any log file that returns an incorrect owner, run the following command: /usr/bin/sudo chown root [audit log file] [audit log file] is the full path to the log file in question.
To check the ownership of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the owner (third column) to be "root". If not, this is a finding.
For any log folder that has an incorrect owner, run the following command: /usr/bin/sudo chown root [audit log folder]
To check the group-ownership of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current The results should show the group owner (fourth column) to be "wheel". If not, this is a finding.
For any log file that returns an incorrect group-owner, run the following command: /usr/bin/sudo chgrp wheel [audit log file] [audit log file] is the full path to the log file in question.
To check the group-ownership of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the group (fourth column) to be "wheel", if not, this is a finding.
For any log folder that has an incorrect group, run the following command: /usr/bin/sudo chgrp wheel [audit log folder]
To check the permissions of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current The results should show the permissions (first column) to be "440" or less permissive, if not, this is a finding.
For any log file that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 440 [audit log file] [audit log file] is the full path to the log file in question.
To check the permissions of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the permissions (first column) to be "700" or less permissive, if not, this is a finding.
For any log folder that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 700 [audit log folder]
To check if a log file contains ACLs, run the following commands: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current In the output from the above commands, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If any such line exists, this is a finding.
For any log file that contains ACLs, run the following command: /usr/bin/sudo chmod -N [audit log file]
To check if a log folder contains ACLs, run the following commands: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') In the output from the above commands, ACLs will be listed under any folder that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If any such line exists, this is a finding.
For any log folder that contains ACLs, run the following command: /usr/bin/sudo chmod -N [audit log folder]
To check if the "rexec" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.rexecd If the results do not show the following, this is a finding. "com.apple.rexecd" => true
To disable the "rexec" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.rexecd The system may need to be restarted for the update to take effect.
To check if the "rshd" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.rshd If the results do not show the following, this is a finding. "com.apple.rshd" => true
To disable the "rshd" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.rshd The system may need to be restarted for the update to take effect.
To check if the Screen Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing If the results do not show the following, this is a finding. "com.apple.screensharing" => true
To disable the Screen Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing The system may need to be restarted for the update to take effect.
If Bluetooth connectivity is required to facilitate use of approved external devices, this is not applicable. To check if Bluetooth is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableBluetooth If there is no result, or if "DisableBluetooth" is not set to "1", this is a finding.
This setting is enforced using the "Bluetooth Policy" configuration profile.
If the system requires Wi-Fi to connect to an authorized network, this is not applicable. To check if the Wi-Fi network device is disabled, run the following command: /usr/bin/sudo /usr/sbin/networksetup -listallnetworkservices A disabled device will have an asterisk in front of its name. If the Wi-Fi device is missing this asterisk, this is a finding.
To disable the Wi-Fi network device, run the following command: /usr/bin/sudo /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off
To check if IR support is disabled, run the following command: /usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled If the result is not "0", this is a finding.
To disable IR, run the following command: /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool FALSE
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.blank.cd.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.blank.dvd.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for music CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.cd.music.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for picture CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.cd.picture.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for video DVDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.dvd.video.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
Password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. To check if the password policy is configured to disable a temporary account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory server, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.
This setting may be enforced using a configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current policy file, substituting the correct user name in place of username: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 > pwpolicy.plist Open the resulting password policy file in a text editor. If other policy settings are present, and the line "<key>policyCategoryAuthentication</key>" already exists, insert the following text after the <array> tag that immediately follows it: <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime + 259299</string> <key>policyIdentifier</key> <string>Disable Temporary Account</string> </dict> At a minimum, edit the file to ensure that it contains the following text: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime + 259299</string> <key>policyIdentifier</key> <string>Disable Temporary Account</string> </dict> </array> </dict> </plist> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of username: /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies pwpolicy.plist
By default, "auditd" only logs errors to syslog. To see if audit has been configured to print error messages to the console, run the following command: /usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn If the argument "-s" is missing, or if audit_warn has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.
To make "auditd" log errors to standard error as well as "syslogd", run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control If this returns no results, or does not contain "25", this is a finding.
Edit the /etc/security/audit_control file, and change the value for "minfree" to "25". Use the following command to set the "minfree" value to "25%": /usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the /etc/security/audit_control file.
The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control If this returns no results, or does not contain "7d" or a larger value, this is a finding.
Edit the /etc/security/audit_control file, and change the value for 'expire-after' to the amount of time audit logs should be kept for the system. Use the following command to set the "expire-after" value to "7d": /usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the /etc/security/audit_control file.
If an emergency account has been created on the system, check the expiration settings of a local account using the following command, replacing username with the correct value: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is output, ensure that the account policies do not restrict the ability to log on after a certain date or amount of time, if they do, this is a finding.
To remove all pwpolicy settings for an emergency account, run the following command, replacing username with the correct value: /usr/bin/sudo /usr/bin/pwpolicy -u username clearaccountpolicies Otherwise, to change the password policy for an emergency account and only remove some policy sections, run the following command to save a copy of the current policy file for the specified username: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 > pwpolicy.plist Open the resulting password policy file in a text editor and remove any policyContent sections that would restrict the ability to log on after a certain date or amount of time. To remove the section cleanly, remove the entire text that begins with <dict>, contains the like <key>policyContent<'/key>, and ends with </dict>. After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies pwpolicy.plist
In order to view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "ad" is not listed in the result of the check, this is a finding.
To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
If SMB File Sharing is required, this is not applicable. To check if the SMB File Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd If the results do not show the following, this is a finding. "com.apple.smbd" => true
To disable the SMB File Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd The system may need to be restarted for the update to take effect.
To check if the Apple File (AFP) Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AppleFileServer If the results do not show the following, this is a finding. "com.apple.AppleFileServer" => true
To disable the Apple File (AFP) Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.AppleFileServer The system may need to be restarted for the update to take effect.
If the NFS daemon is required, this is not applicable. To check if the NFS daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd If the results do not show the following, this is a finding. "com.apple.nfsd" => true
To disable the NFS daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd The system may need to be restarted for the update to take effect.
If the NFS lock daemon is required, this is not applicable. To check if the NFS lock daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.lockd If the results do not show the following, this is a finding. "com.apple.lockd" => true
To disable the NFS lock daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.lockd The system may need to be restarted for the update to take effect.
If the NFS stat daemon is required, this is not applicable. To check if the NFS stat daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.statd.notify If the results do not show the following, this is a finding. "com.apple.statd.notify" => true
To disable the NFS stat daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.statd.notify The system may need to be restarted for the update to take effect.
The system firewall must be configured with a "default-deny" policy. Ask the SA or ISSO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no firewall installed on the system, this is a finding. If there is a firewall installed and it is not configured with a "default-deny" policy, this is a finding.
Install an approved HBSS or firewall solution onto the system and configure it with a "default-deny" policy.
For systems that allow remote access through SSH, run the following command to ensure that /etc/banner exists: /bin/ls -l /etc/banner If /etc/banner does not exist, this is a finding. The banner text of the document MUST read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not worded exactly this way, this is a finding.
For systems that allow remote access through SSH, create a plain text file containing the required text and save it as /etc/banner.
To check if the audit service is running, use the following command: /usr/bin/sudo /bin/launchctl list | /usr/bin/grep com.apple.auditd If nothing is returned, the audit service is not running, this is a finding.
To enable the audit service, run the following command: /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
In order to view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Logon events are logged by way of the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.
To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the /Library/Security folder. Run this command to show the contents of that folder: /bin/ls -l /Library/Security/PolicyBanner.rtf* If neither "PolicyBanner.rtf" nor "PolicyBanner.rtfd" exists, this is a finding. The banner text of the document MUST read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not worded exactly this way, this is a finding.
Create a RTF formatted file containing the required text. Name the file "PolicyBanner.rtf" or "PolicyBanner.rtfd" and place it in /Library/Security/
For systems that allow remote access through SSH, run the following command to ensure that /etc/banner is displayed before granting access: # /usr/bin/grep Banner /etc/ssh/sshd_config If the sshd Banner configuration option does not point to "/etc/banner", this is a finding.
For systems that allow remote access through SSH, modify the /etc/ssh/sshd_config file to add or update the following line: Banner /etc/banner
To check the status of the Security assessment policy subsystem, run the following command: /usr/bin/sudo /usr/sbin/spctl --status | /usr/bin/grep enabled If nothing is returned, this is a finding.
To enable the Security assessment policy subsystem, run the following command: /usr/bin/sudo /usr/sbin/spctl --master-enable
System Integrity Protection is a security feature, enabled by default, that protects certain system processes and files from being modified or tampered with. The current status of "System Integrity Protection" can be checked with the following command: /usr/bin/csrutil status If the result does not show the following, this is a finding. System Integrity Protection status: enabled.
To re-enable "System Integrity Protection", boot the affected system into "Recovery" Mode, launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable
To check if the system has a configuration profile applied, run the following command: sudo /usr/bin/profiles -H If there are no profiles installed, this is a finding.
Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. Built-in applications such as "FaceTime", "Game Center", "Mail", "Contacts", "Calendar", "Reminders", "Notes", and "Messages" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "FaceTime" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = FaceTime;" If anything is returned, this is a finding. Built-in applications such as "FaceTime" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Game Center" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "GKFeatureGameCenterAllowed = 0;" If nothing is returned, this is a finding.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Messages" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Messages;" If anything is returned, this is a finding. Built-in applications such as "Messages" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Calendar" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Calendar;" If anything is returned, this is a finding. Built-in applications such as "Calendar" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Reminders" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Reminders;" If anything is returned, this is a finding. Built-in applications such as "Reminders" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Contacts" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Contacts;" If anything is returned, this is a finding. Built-in applications such as "Contacts" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Mail" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Mail;" If anything is returned, this is a finding. Built-in applications such as "Mail" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
To check if there is a configuration policy defined for "Application Restrictions", run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "familyControlsEnabled = 1;" If nothing is returned, this is a finding. To check if "Notes" is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "displayName = Notes;" If anything is returned, this is a finding. Built-in applications such as "Notes" should be evaluated against mission needs and should only appear in the list of allowed applications if specifically required.
This setting is enforced using the "Applications Restrictions Policy" configuration profile.
Access to the "iCloud" and "Internet Accounts" preference panes must be disabled. To check if the system has the correct setting in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 'DisabledPreferencePanes' If nothing is returned, this is a finding. To check if "iCloud" has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep com.apple.preferences.icloud If nothing is returned, this is a finding. To check if "Internet Accounts" has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep com.apple.preferences.internetaccounts If nothing is returned, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
"Sending diagnostic & usage data to Apple" must be disabled. To check if a configuration profile is configured to enforce this setting, run the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep AutoSubmit If "AutoSubmit" is not set to "0", this is a finding. Alternately, the setting is found in System Preferences >> Security & Privacy >> Privacy >> Diagnostics & Usage. If the box that says "Send diagnostic & usage data to Apple" is checked, this is a finding.
This setting is enforced using the "Security Privacy Policy" configuration profile. The setting "Send diagnostic & usage data to Apple" is found in System Preferences >> Security & Privacy >> Privacy >> Diagnostics & Usage. Uncheck the box that says "Send diagnostic & usage data to Apple." To apply the setting from the command line, run the following commands: /usr/bin/defaults read "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist" AutoSubmit /usr/bin/sudo /usr/bin/defaults write "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist" AutoSubmit -bool false /usr/bin/sudo /bin/chmod 644 /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist /usr/bin/sudo /usr/bin/chgrp admin /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist
To check if the "Find My Mac" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.findmymacd If the results do not show the following, this is a finding. "com.apple.findmymacd" => true
To disable the "Find My Mac" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.findmymacd The system may need to be restarted for the update to take effect.
To check if the "Find My Mac messenger" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.findmymacmessenger If the results do not show the following, this is a finding. "com.apple.findmymacmessenger" => true
To disable the "Find My Mac messenger" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.findmymacmessenger The system may need to be restarted for the update to take effect.
"Location Services" must be disabled. To check if a configuration profile is configured to enforce this setting, run the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableLocationServices If "DisableLocationServices" is not set to "1", this is a finding. The setting is found in System Preferences >> Security & Privacy >> Privacy >> Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if the setting was applied on the command line, run the following command: /usr/bin/sudo /usr/bin/defaults read /private/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57` LocationServicesEnabled
This setting is enforced using the "Custom Policy" configuration profile. The setting "Enable Location Services" can be found in System Preferences >> Security & Privacy >> Privacy >> Location Services. Uncheck the box that says "Enable Location Services". It can also be set with the following command: /usr/bin/sudo /usr/bin/defaults write /private/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57` LocationServicesEnabled -bool false
Bonjour multicast advertising must be disabled on the system. To check if multicast advertisements have been disabled, run the following command: /usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.mDNSResponder | /usr/bin/grep NoMulticastAdvertisements If there is an error returned, or nothing returned, or "NoMulticastAdvertisements" is not set to "1", this is a finding.
To configure Bonjour to disable multicast advertising, run the following command: /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true The system will need to be restarted for the update to take effect.
To check if the "UUCP" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp If the results do not show the following, this is a finding. "com.apple.uucp" => true
To disable the "UUCP" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.uucp The system may need to be restarted for the update to take effect.
To check if SSH has "PermitRootLogin" enabled, run the following command: /usr/bin/sudo /usr/bin/grep ^PermitRootLogin /etc/ssh/sshd_config If there is no result, or the result is set to "yes", this is a finding.
In order to make sure that "PermitRootLogin" is disabled by sshd, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
To check which protocol is configured for sshd, run the following: /usr/bin/sudo /usr/bin/grep ^Protocol /etc/ssh/sshd_config If there is no result or the result is not "2", this is a finding.
In order to make sure that "Protocol 2" is used by sshd, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/ssh/sshd_config
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that passwords contain at least one numeric character: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep requireAlphanumeric If "requireAlphanumeric" is not set to "1" or is undefined, this is a finding. If password policy is set with the "pwpolicy utility", run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryPasswordContent</key>". If it does not exist, and password policy is not controlled by a directory server, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> that "matches" the variable "policyAttributePassword" to the regular expression "(.*[0-9].*){1,}+" or to a similar expression that will ensure the password contains a character in the range 0-9 one or more times. If this check allows users to create passwords without at least one numeric character, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current pwpolicy account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. Then, insert the following text after the opening <dict> tag and before the closing </dict> tag. The same text can also be used if the line "<key>policyCategoryPasswordContent</key>" is not present. <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> <key>policyIdentifier</key> <string>com.apple.policy.legacy.requiresNumeric</string> <key>policyParameters</key> <dict> <key>minimumNumericCharacters</key> <integer>1</integer> </dict> </dict> </array> If the file does contain policy settings, and the line "<key>policyCategoryPasswordContent</key>" does exist, insert the following text after the opening <array> tag that comes right after it: <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> <key>policyIdentifier</key> <string>com.apple.policy.legacy.requiresNumeric</string> <key>policyParameters</key> <dict> <key>minimumNumericCharacters</key> <integer>1</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators.
Password policy can be set with a configuration profile or the pwpolicy utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that passwords contain at least one special character: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minComplexChars If "minComplexChars" is not set to "1" or is undefined, this is a finding. Run the following command to check if the system is configured to require that passwords not contain of repeated sequential characters or characters in increasing and decreasing sequential order: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowSimple If "allowSimple" is not set to "0" or is undefined, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server.
To check the currently applied policies for password and accounts, use the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minLength The parameter minLength should be "15". If it is less than "15", this is a finding.
This setting is enforced using the "Passcode Policy" configuration profile. Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators.
To check if the "telnet" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.telnetd If the results do not show the following, this is a finding. "com.apple.telnetd" => true
To disable the "telnet" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.telnetd The system may need to be restarted for the update to take effect.
To check to make sure only applications downloaded from the App Store are allowed to run, type the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep EnableAssessment If "EnableAssessment" is not set to "1", this is a finding. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep AllowIdentifiedDevelopers If "AllowIdentifiedDevelopers" is not set to "1", this is a finding.
This setting is enforced using the "Security Privacy Policy" configuration profile.
To check to make sure the user cannot override "Gatekeeper" settings, type the following code: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableOverride If "DisableOverride" is not set to "1", this is a finding.
This setting is enforced using the "Security Privacy Policy" configuration profile.
The SSH daemon "ClientAliveInterval" option must be set correctly. To check the idle timeout setting for SSH sessions, run the following: /usr/bin/sudo /usr/bin/grep ^ClientAliveInterval /etc/ssh/sshd_config If the setting is not "600", this is a finding.
In order to make sure that "ClientAliveInterval" is set correctly, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/ssh/sshd_config
The SSH daemon "ClientAliveCountMax" option must be set correctly. To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: /usr/bin/sudo /usr/bin/grep ^ClientAliveCountMax /etc/ssh/sshd_config If the setting is not "ClientAliveCountMax 0", this is a finding.
In order to make sure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config
In order to view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file. If "fm", "-fr", and "-fw" are not listed in the result of the check, this is a finding.
To set the audit flags to the recommended setting, run the following command to add the flags "fm", "-fr", and "-fw" all at once: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
These commands check for log files that exist on the system and print out the list of ACLs if there are any. /usr/bin/sudo ls -ld@ $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo ls -ld@ $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null ACLs will be listed under any file that may contain them, i.e., "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any system log file contains this information, this is a finding.
For any log file that returns an ACL, run the following command: /usr/bin/sudo chmod -N [log file] [log file] is the full path to the log file in question.
These commands check for log files that exist on the system and print out the log with corresponding permissions. Run them from inside "/var/log": /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null The correct permissions on log files should be "640" or less permissive for system logs. Any file with more permissive settings is a finding.
For any log file that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 640 [log file] [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive. If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive.
Log files are controlled by "newsyslog" and "aslmanager". These commands check for log files that exist on the system and print out the log with corresponding ownership. Run them from inside "/var/log": /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null If there are any system log files that are not owned by "root" and group-owned by "wheel" or admin, this is a finding. Service logs may be owned by the service user account or group.
For any log file that returns an incorrect owner or group value, run the following command: /usr/bin/sudo chown root:wheel [log file] [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure that the owner:group column is set to "root:wheel" or the appropriate service user account and group. If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are either not present or are set to a service user account and group respectively.
In order to view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "lo" is not listed in the result of the check, this is a finding.
To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
Password policy can be set with the "Passcode Policy" configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that users cannot reuse one of their five previously used passwords: system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory If "pinHistory" is not set to "5" or higher, or is undefined, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryPasswordContent</key>". If it does not exist, and password policy is not controlled by a directory server, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> such as "<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>". This searches for the hash of the user-entered password in the list of previous password hashes. In the "policyParameters" section that follows it, "policyAttributePasswordHistoryDepth" must be set to "5" or greater. If this parameter is not set to "5" or greater, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. If there already is a policy block that refers to password history, ensure it is set to "5". If the line "<key>policyCategoryPasswordContent</key>" is not present in the file, add the following text immediately after the opening <dict> tag in the file: <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> <key>policyIdentifier</key> <string>Password History</string> <key>policyParameters</key> <dict> <key>policyAttributePasswordHistoryDepth</key> <integer>5</integer> </dict> </dict> </array> If the line "<key>policyCategoryPasswordContent</key>" is already present in the file, the following text should be added just after the opening <array> tag that follows the line instead: <dict> <key>policyContent</key> <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> <key>policyIdentifier</key> <string>Password History</string> <key>policyParameters</key> <dict> <key>policyAttributePasswordHistoryDepth</key> <integer>5</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require users to change their passwords every 60 days: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxPINAgeInDays If "maxPINAgeInDays" is not set to "60" or a shorter interval, or is undefined, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line <key>policyCategoryPasswordChange</key>. If it does not exist, and password policy is not controlled by a directory server, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> that compares the variable "policyAttributeLastPasswordChangeTime" to the variable "policyAttributeCurrentTime". It may contain additional variables defined in the "policyParameters" section that follows it. All comparisons are done in seconds. If this check allows users to log in with passwords older than "60" days, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. If there already is a policy block that refers to password expiration, ensure it is set to "60" days. If the line "<key>policyCategoryPasswordChange</key>" is not present in the file, add the following text immediately after the opening <dict> tag in the file: <key>policyCategoryPasswordChange</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Password Change Interval</string> <key>policyParameters</key> <dict> <key>policyAttributeExpiresEveryNDays</key> <integer>60</integer> </dict> </dict> </array> If the line "<key>policyCategoryPasswordChange</key>" is already present in the file, the following text should be added just after the opening <array> tag that follows the line instead: <dict> <key>policyContent</key> <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Password Change Interval</string> <key>policyParameters</key> <dict> <key>policyAttributeExpiresEveryNDays</key> <integer>60</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators.
To determine if the system is integrated to a directory server, ask the SA or ISSO or run the following command: /usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)' If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding.
Integrate the system into an existing directory services infrastructure.
Ask the SA or ISSO if an approved PKI authentication solution is implemented on the system for user logins and privileged access. If an account can log in to the system or gain privileged access without a smart card, and it is not an emergency account, this is a finding.
Implement PKI authentication using approved third-party PKI tools, to integrate with an existing directory services infrastructure or local password database, where no directory services infrastructure exists.
"AirDrop" must be disabled. To check if "AirDrop" has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAirDrop If "DisableAirDrop" is not set to "1", this is a finding.
Disabling "AirDrop" is enforced using the "Restrictions Policy" configuration profile.
The SSH daemon "LoginGraceTime" must be set correctly. To check the amount of time that a user can login through SSH, run the following command: /usr/bin/sudo /usr/bin/grep ^LoginGraceTime /etc/ssh/sshd_config If the value is not set to "30" or less, this is a finding.
In order to make sure that "LoginGraceTime" is configured correctly, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config
To view a list of installed certificates, run the following command: /usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.
Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from /Applications/Utilities to add certificates to the System keychain.
To check if "FileVault 2" is enabled, run the following command: /usr/bin/sudo /usr/bin/fdesetup status If "FileVault" is "Off" and the device is a laptop, this is a finding.
Open System Preferences >> Security and Privacy, and navigate to the "FileVault" tab. Use this panel to configure full-disk encryption. Alternately, from the command line, run the following command to enable "FileVault": /usr/bin/sudo /usr/bin/fdesetup enable After "FileVault" is initially set up, additional users can be added.
Ask the SA or ISSO if an approved tool capable of continuous scanning is loaded on the system. The recommended system is the McAfee HBSS. If no such tool is installed on the system, this is a finding.
Install an approved HBSS solution onto the system.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To ensure external USB drives are disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 3 harddisk-external If the option "eject,alert" is not set for "harddisk-external", this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
If the system is approved for management of iOS devices, this is not applicable. To check if the "usbmuxd" daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.usbmuxd If the results do not show the following, this is a finding. "com.apple.usbmuxd" => true
To disable the "usbmuxd" daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.usbmuxd The system may need to be restarted for the update to take effect.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the number of permitted failed logon attempts and the logon reset timer: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'maxFailedAttempts\|minutesUntilFailedLoginReset' If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding. If password policy is set with the "pwpolicy" utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory server, this is a finding. In the array that follows, there should be one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration or bugs in OS X may block password change and local user creation operations, as well as, lock out all local users, including administrators.
To view the setting for the audit control system, run the following command: sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt If there is no result, this is a finding.
Edit the "/etc/security/audit_control file", and change the value for policy to include the setting "ahlt". To programmatically do this, run the following command: sudo /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; sudo /usr/sbin/audit -s
To check if the system is configured to automatically log on, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAutoLoginClient If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the login window is configured to prompt for user name and password, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SHOWFULLNAME If there is no result, or "SHOWFULLNAME" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
If HBSS is used, this is not applicable. To check if the OS X firewall has logging enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep on If the result does not show "on", this is a finding.
To enable the firewall logging, run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
To check if this setting is disabled run the following two commands as the primary user: /usr/bin/defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled /usr/bin/defaults read /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`.plist RemoteWakeEnabled If there is an error or nothing is returned, or the return value is "1" for either command, this is a finding.
This control needs to be manually changed on the computer by opening System Preferences >> Bluetooth, Click Advanced, and make sure the "Allow Bluetooth devices to wake this computer" is not checked. This control is not necessary if Bluetooth has been completely disabled. The following can be run from the command line to disable "Remote Wake" for the current user: /usr/bin/defaults write /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57`.plist RemoteWakeEnabled 0
To check if Bluetooth Sharing is enabled, open up System Preferences >> Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding. The following command can be run from the command line: /usr/bin/defaults read /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`.plist PrefKeyServicesEnabled If there is an error or nothing is returned, or the return value is "1", this is a finding.
To disable Bluetooth Sharing, open System Preferences >> Sharing and uncheck the box next to "Bluetooth Sharing". This control is not necessary if Bluetooth has been completely disabled. The following can be run from the command line to disable "Bluetooth Sharing" for the current user: /usr/bin/defaults write /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57`.plist PrefKeyServicesEnabled 0
To check if the "Remote Apple Events" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer If the results do not show the following, this is a finding. "com.apple.AEServer" => true
To disable the "Remote Apple Events" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer The system may need to be restarted for the update to take effect.
To check if the "tty_tickets" option is set for "/usr/bin/sudo", run the following command: /usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers If there is no result, this is a finding.
Edit the "/etc/sudoers" file to contain the line: Defaults tty_tickets This line can be placed in the defaults section or at the end of the file.
If an approved HBSS solution is installed, this is not applicable. To check if the OS X firewall has been enabled, run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is "disabled", this is a finding.
To enable the firewall run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
To display all directories that are writable by all and not owned by "root", run the following command: /usr/bin/sudo find / -type d -perm +o+w -not -uid 0 If anything is returned, and those directories are not owned by a local admin or application account, this is a finding.
To change the ownership of any finding, run the following command: /usr/bin/sudo find / -type d -perm +o+w -not -uid 0 -exec chown root {} \;
To check if the "finger" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.fingerd If the results do not show the following, this is a finding. "com.apple.fingerd" => true
To disable the "finger" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.fingerd The system may need to be restarted for the update to take effect.
Run the following command to view all world-writable directories that do not have the "sticky bit" set: /usr/bin/sudo /usr/bin/find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.
Run the following command to set the "sticky bit" on all world-writable directories: /usr/bin/sudo /usr/bin/find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;
To check if the prompt for "Apple ID" and "iCloud" are disabled for new users, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipCloudSetup If "SkipCloudSetup" is not set to "1", this is a finding.
This setting is enforced using the "Disable iCloud Policy" configuration profile.
To see if any user account has configured an Apple ID for iCloud usage, run the following command: /usr/bin/sudo find /Users/ -name 'MobileMeAccounts.plist' -exec /usr/bin/defaults read '{}' \; If the results show any accounts listed, this is a finding.
This must be manually resolved. With the affected user logged in, open System Preferences >> iCloud. Choose "Sign Out".
To check if the iTunes music sharing is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep disableSharedMusic If "disableSharedMusic" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If available, provide a list of setuids provided by a vendor. To list all of the files with the "setuid" bit set, run the following command to send all results to a file named "suidfilelist": /usr/bin/sudo find / -perm -4000 -exec /bin/ls -ldb {} \; > suidfilelist If any of the files listed are not documented as needing to have the "setuid" bit set by the vendor, this is a finding.
Document all of the files with the "setuid" bit set. Remove any undocumented files.
To check if the system is configured to accept "source-routed" packets, run the following command: sysctl net.inet.ip.accept_sourceroute If the value is not "0", this is a finding.
To configure the system to not accept "source-routed" packets, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.accept_sourceroute=0
To check if the system is configured to ignore "ICMP redirect" messages, run the following command: sysctl net.inet.icmp.drop_redirect If the value is not "1", this is a finding.
To configure the system to ignore "ICMP redirect" messages, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.icmp.drop_redirect=1
To check if "IP forwarding" is enabled, run the following command: sysctl net.inet.ip.forwarding If the values are not "0", this is a finding.
To configure the system to disable "IP forwarding", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.forwarding=0
To check if "IP forwarding" is enabled, run the following command: sysctl net.inet6.ip6.forwarding If the values are not "0", this is a finding.
To configure the system to disable "IP forwarding", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet6.ip6.forwarding=0
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the number of permitted failed logon attempts: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'maxFailedAttempts' If "maxFailedAttempts" is not set to "3", this is a finding. If password policy is set with the "pwpolicy" utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory server, this is a finding. In the array that follows, there should one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its policyParameters section. If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line <key>policyCategoryAuthentication</key> already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration or bugs in OS X may block password change and local user creation operations, as well as, lock out all local users, including administrators.
Password policy can be set with a configuration profile or the pwpolicy utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the logon reset timer: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'minutesUntilFailedLoginReset' If "minutesUntilFailedLoginReset" is not set to "15", this is a finding. If password policy is set with the pwpolicy utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory server, this is a finding. In the array that follows, there should one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its "policyParameters section". If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. The following two lines within the configuration enforce lockout expiration to "15" minutes: <key>autoEnableInSeconds</key> <integer>900</integer> To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators.
To check if the "Web Sharing" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep org.apache.httpd If the results do not show the following, this is a finding. "org.apache.httpd" => true
To disable the "Web Sharing" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/org.apache.httpd The system may need to be restarted for the update to take effect.
To check if the "Internet Sharing" service is disabled, use the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'forceInternetSharingOff' If there is no result, or if "forceInternetSharingOff" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
To check if the system is configured to send "ICMP redirects", run the following command: sysctl net.inet.ip.redirect If the values are not set to "0", this is a finding.
To configure the system to not send "ICMP redirects", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.redirect=0
To check if the system is configured to send "ICMP redirects", run the following command: sysctl net.inet6.ip6.redirect If the values are not set to "0", this is a finding.
To configure the system to not send "ICMP redirects", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet6.ip6.redirect=0
To check if the system is configured to forward "source-routed" packets, run the following command: sysctl net.inet.ip.sourceroute If the value is not set to "0", this is a finding.
To configure the system to not forward "source-routed" packets, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.sourceroute=0
Ask the SA or ISSO if an approved anti-virus solution is loaded on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no local anti-virus solution installed on the system, this is a finding.
Install an approved anti-virus solution onto the system.
To check if the system is configured to process "ICMP timestamp" requests, run the following command: sysctl net.inet.icmp.timestamp If the value is not set to "0", this is a finding.
To disable "ICMP timestamp" responses, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.icmp.timestamp=0
To list the network devices that are enabled on the system, run the following command: /usr/bin/sudo /usr/sbin/networksetup -listallnetworkservices A disabled device will have an asterisk in front of its name. If any listed device that is not in use is missing this asterisk, this is a finding.
To disable a network device, run the following command, substituting the name of the device in place of "'<networkservice>'": /usr/bin/sudo /usr/sbin/networksetup -setnetworkserviceenabled '<networkservice>' off
In order to view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control If "fm" is not listed in the result of the check, this is a finding.
To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
To check if the "ftp" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.ftpd If the results do not show the following, this is a finding: "com.apple.ftpd" => true
To disable the "ftp" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.ftpd The system may need to be restarted for the update to take effect.