Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
To view the currently selected screen saver for the logged-on user, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowModulePath If there is no result or defined "loginWindowModulePath", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the system is configured to disable hot corners, run the following commands: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep wvous If the return is null, or does not equal: "wvous-bl-corner = 0; wvous-br-corner = 0; wvous-tl-corner = 0; wvous-tr-corner = 0;" this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
To check if the system is configured to prevent Apple Watch from terminating a session lock, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock = 0;" If there is no result, this is a finding.
This setting is enforced using the “Restrictions Policy" configuration profile.
To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep loginWindowIdleTime The check should return a value of "900" or less for "loginWindowIdleTime". If it does not, this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the system will prompt users to enter their passwords to unlock the screen saver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPassword If there is no result, or if "askForPassword" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the system will prompt users to enter their passwords to unlock the screen saver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay If there is no result, or if "askForPasswordDelay" is not set to "5.0" or less, this is a finding.
This setting is enforced using the "Security and Privacy Policy" configuration profile.
To view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Attempts to log in as another user are logged by way of the "lo" flag. If "lo" is not listed in the result of the check, this is a finding.
To ensure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
For systems that allow remote access through SSH, run the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.openssh.sshd If the results do not show the following, this is a finding. "com.openssh.sshd" => false
To enable the SSH service, run the following command: /usr/bin/sudo /bin/launchctl enable system/com.openssh.sshd The system may need to be restarted for the update to take effect.
To check if the "rshd" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.rshd If the results do not show the following, this is a finding: "com.apple.rshd" => true
To disable the "rshd" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.rshd The system may need to be restarted for the update to take effect.
If Bluetooth connectivity is required to facilitate use of approved external devices, this is not applicable. To check if Bluetooth is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableBluetooth If the return is null or is not "DisableBluetooth = 1", this is a finding.
This setting is enforced using the "Bluetooth Policy" configuration profile.
If the system requires Wi-Fi to connect to an authorized network, this is not applicable. To check if the Wi-Fi network device is disabled, run the following command: /usr/bin/sudo /usr/sbin/networksetup -listallnetworkservices A disabled device will have an asterisk in front of its name. If the Wi-Fi device is missing this asterisk, this is a finding.
To disable the Wi-Fi network device, run the following command: /usr/bin/sudo /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off
To check if IR support is disabled, run the following command: /usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled If the result is not "0", this is a finding.
To disable IR, run the following command: /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool FALSE
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.blank.cd.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.blank.dvd.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for music CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.cd.music.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for picture CDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.cd.picture.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To check if the system has the correct setting for video DVDs in the configuration profile, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 2 'com.apple.digihub.dvd.video.appeared' If this is not defined or "action" is not set to "1", this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
Verify if a password policy is enforced by a directory service by asking the System Administrator (SA) or Information System Security Officer (ISSO). If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. To check if the password policy is configured to disable a temporary account after 72 hours, run the following command to output the password policy to the screen, substituting the correct user name in place of username: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is no output, and password policy is not controlled by a directory service, this is a finding. Otherwise, look for the line "<key>policyCategoryAuthentication</key>". In the array that follows, there should be a <dict> section that contains a check <string> that allows users to log in if "policyAttributeCurrentTime" is less than the result of adding "policyAttributeCreationTime" to 72 hours (259299 seconds). The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time to "policyAttributeCreationTime", this is a finding.
This setting may be enforced using a configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current policy file, substituting the correct user name in place of "username": /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 > pwpolicy.plist Open the resulting password policy file in a text editor. If other policy settings are present, and the line "<key>policyCategoryAuthentication</key>" already exists, insert the following text after the <array> tag that immediately follows it: <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime + 259299</string> <key>policyIdentifier</key> <string>Disable Temporary Account</string> </dict> At a minimum, edit the file to ensure that it contains the following text: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime < policyAttributeCreationTime + 259299</string> <key>policyIdentifier</key> <string>Disable Temporary Account</string> </dict> </array> </dict> </plist> After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the correct user name in place of "username": /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies pwpolicy.plist
If an emergency account has been created on the system, check the expiration settings of a local account using the following command, replacing "username" with the correct value: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 If there is output, verify that the account policies do not restrict the ability to log in after a certain date or amount of time. If they do, this is a finding.
To remove all "pwpolicy" settings for an emergency account, run the following command, replacing "username" with the correct value: /usr/bin/sudo /usr/bin/pwpolicy -u username clearaccountpolicies Otherwise, to change the password policy for an emergency account and only remove some policy sections, run the following command to save a copy of the current policy file for the specified username: /usr/bin/sudo /usr/bin/pwpolicy -u username getaccountpolicies | tail -n +2 > pwpolicy.plist Open the resulting password policy file in a text editor and remove any policyContent sections that would restrict the ability to log in after a certain date or amount of time. To remove the section cleanly, remove the entire text that begins with <dict>, contains the like <key>policyContent<'/key>, and ends with </dict>. After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy -u username setaccountpolicies pwpolicy.plist
To view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Administrative and Privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.
To ensure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
If SMB File Sharing is required, this is not applicable. To check if the SMB File Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd If the results do not show the following, this is a finding: "com.apple.smbd" => true
To disable the SMB File Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd The system may need to be restarted for the update to take effect.
To check if the Apple File (AFP) Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AppleFileServer If the results do not show the following, this is a finding: "com.apple.AppleFileServer" => true
To disable the Apple File (AFP) Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.AppleFileServer The system may need to be restarted for the update to take effect.
If the NFS daemon is required, this is not applicable. To check if the NFS daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd If the results do not show the following, this is a finding: "com.apple.nfsd" => true
To disable the NFS daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd The system may need to be restarted for the update to take effect.
If the NFS lock daemon is required, this is not applicable. To check if the NFS lock daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.lockd If the results do not show the following, this is a finding: "com.apple.lockd" => true
To disable the NFS lock daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.lockd The system may need to be restarted for the update to take effect.
If the NFS stat daemon is required, this is not applicable. To check if the NFS stat daemon is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.statd.notify If the results do not show the following, this is a finding: "com.apple.statd.notify" => true
To disable the NFS stat daemon, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.statd.notify The system may need to be restarted for the update to take effect.
Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If no firewall is installed on the system, this is a finding. If a firewall is installed and it is not configured with a "default-deny" policy, this is a finding.
Install an approved HBSS or firewall solution onto the system and configure it with a "default-deny" policy.
Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system. Check to see if the operating system has the correct text listed in the "/etc/banner" file with the following command: # more /etc/banner The command should return the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. If the text in the "/etc/banner" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Create a text file containing the required DoD text. Name the file "banner" and place it in "/etc/".
For systems that allow remote access through SSH, run the following command to verify that "/etc/banner" is displayed before granting access: # /usr/bin/grep Banner /etc/ssh/sshd_config If the sshd Banner configuration option does not point to "/etc/banner", this is a finding.
For systems that allow remote access through SSH, modify the "/etc/ssh/sshd_config" file to add or update the following line: Banner /etc/banner
The policy banner will show if a "PolicyBanner.rtf" or "PolicyBanner.rtfd" exists in the "/Library/Security" folder. Run this command to show the contents of that folder: /bin/ls -l /Library/Security/PolicyBanner.rtf* If neither "PolicyBanner.rtf" nor "PolicyBanner.rtfd" exists, this is a finding. The banner text of the document MUST read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not worded exactly this way, this is a finding.
Create an RTF file containing the required text. Name the file "PolicyBanner.rtf" or "PolicyBanner.rtfd" and place it in "/Library/Security/".
To view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Logon events are logged by way of the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.
To ensure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
To check if the audit service is running, use the following command: /usr/bin/sudo /bin/launchctl list | /usr/bin/grep com.apple.auditd If nothing is returned, the audit service is not running, and this is a finding.
To enable the audit service, run the following command: /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
System Integrity Protection is a security feature, enabled by default, that protects certain system processes and files from being modified or tampered with. Check the current status of "System Integrity Protection" with the following command: /usr/bin/csrutil status If the result does not show the following, this is a finding. System Integrity Protection status: enabled
To reenable "System Integrity Protection", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the following command: /usr/bin/csrutil enable
The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control If this returns no results, or does not contain "7d" or a larger value, this is a finding.
Edit the "/etc/security/audit_control" file and change the value for "expire-after" to the amount of time audit logs should be kept for the system. Use the following command to set the "expire-after" value to "7d": /usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control If this returns no results, or does not contain "25", this is a finding.
Edit the "/etc/security/audit_control" file and change the value for "minfree" to "25" using the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control file".
By default, "auditd" only logs errors to "syslog". To see if audit has been configured to print error messages to the console, run the following command: /usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.
To make "auditd" log errors to standard error as well as "syslogd", run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s
The Network Time Protocol (NTP) service must be enabled on all networked systems. To check if the service is running, use the following command: /usr/bin/sudo /bin/launchctl list | grep com.apple.timed 83 0 com.apple.timed If nothing is returned, this is a finding. To verify that an authorized NTP server is configured, run the following command or examine "/etc/ntp.conf": /usr/bin/sudo /usr/bin/grep ^server /etc/ntp.conf server ntp.usno.navy.mil server ntp.usnogps.navy.mil Note: Only approved time servers should be configured for use. If no server is configured, or if an unapproved time server is in use, this is a finding.
To enable the NTP service, run the following command: /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.timed.plist To configure one or more time servers for use, edit "/etc/ntp.conf" and enter each hostname or IP address on a separate line, prefixing each one with the keyword "server".
To check the ownership of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | grep -v current The results should show the owner (third column) to be "root". If they do not, this is a finding.
For any log file that returns an incorrect owner, run the following command: /usr/bin/sudo chown root [audit log file] [audit log file] is the full path to the log file in question.
To check the ownership of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the owner (third column) to be "root". If it does not, this is a finding.
For any log folder that has an incorrect owner, run the following command: /usr/bin/sudo chown root [audit log folder]
To check the group ownership of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current The results should show the group owner (fourth column) to be "wheel". If they do not, this is a finding.
For any log file that returns an incorrect group owner, run the following command: /usr/bin/sudo chgrp wheel [audit log file] [audit log file] is the full path to the log file in question.
To check the group ownership of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the group (fourth column) to be "wheel". If they do not, this is a finding.
For any log folder that has an incorrect group, run the following command: /usr/bin/sudo chgrp wheel [audit log folder]
To check the permissions of the audit log files, run the following command: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current The results should show the permissions (first column) to be "440" or less permissive. If they do not, this is a finding.
For any log file that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 440 [audit log file] [audit log file] is the full path to the log file in question.
To check the permissions of the audit log folder, run the following command: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') The results should show the permissions (first column) to be "700" or less permissive. If they do not, this is a finding.
For any log folder that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 700 [audit log folder]
To check if a log file contains ACLs, run the following commands: /usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current In the output from the above commands, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If any such line exists, this is a finding.
For any log file that contains ACLs, run the following command: /usr/bin/sudo chmod -N [audit log file]
To check if a log folder contains ACLs, run the following commands: /usr/bin/sudo ls -lde $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') In the output from the above commands, ACLs will be listed under any folder that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If any such line exists, this is a finding.
For any log folder that contains ACLs, run the following command: /usr/bin/sudo chmod -N [audit log folder]
To check the status of the Security assessment policy subsystem, run the following command: /usr/bin/sudo /usr/sbin/spctl --status | /usr/bin/grep enabled If nothing is returned, this is a finding.
To enable the Security assessment policy subsystem, run the following command: /usr/bin/sudo /usr/sbin/spctl --master-enable
To check if iCloud Calendar is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudCalendar If the result is not “allowCloudCalendar = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if iCloud Reminders is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudReminders If the result is not “allowCloudReminders = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if iCloud Address Book is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudAddressBook If the result is not “allowCloudAddressBook = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if iCloud Mail is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudMail If the result is not “allowCloudMail = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if iCloud Notes is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudNotes If the result is not “allowCloudNotes = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. If the camera is not disconnected, covered or physically disabled, the following configuration is required: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera If the result is “allowCamera = 1” and the collaborative computing device has not been authorized for use, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if the system has the correct setting in the configuration profile to disable access to the iCloud preference pane, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 DisabledPreferencePanes | grep icloud If the return is not “com.apple.preferences.icloud”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if "Internet Accounts" has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 DisabledPreferencePanes | grep internetaccounts If the return is not "com.apple.preferences.internetaccounts", this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if "Siri" has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 DisabledPreferencePanes | grep speech If the return is not “com.apple.preference.speech”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
To check if Siri and dictation has been disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(allowAssistant | IronwoodAllowed)’ If the return is null or not: “IronwoodAllowed = 0 allowAssistant = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
Sending diagnostic and usage data to Apple must be disabled. To check if a configuration profile is configured to enforce this setting, run the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowDiagnosticSubmission If "allowDiagnosticSubmission" is not set to "0", this is a finding. Alternately, the setting is found in System Preferences >> Security & Privacy >> Privacy >> Analytics. If the checkbox that says "Share Mac Analytics" is checked, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile. The setting "Share Mac Analytics" is found in System Preferences >> Security & Privacy >> Privacy >> Analytics. Uncheck the box that says "Share Mac Analytics". To apply the setting from the command line, run the following commands: /usr/bin/defaults read "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist" AutoSubmit /usr/bin/sudo /usr/bin/defaults write "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist" AutoSubmit -bool false /usr/bin/sudo /bin/chmod 644 /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist /usr/bin/sudo /usr/bin/chgrp admin /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist
To check if Find My Mac is disabled, use the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudFMM If the return is null or not “allowCloudFMM = 0”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
Location Services must be disabled. To check if a configuration profile is configured to enforce this setting, run the following command: /usr/bin/sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableLocationServices If the return is null or not “DisableLocationServices = 1”, this is a finding. The setting is found in System Preferences >> Security & Privacy >> Privacy >> Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if the setting was applied on the command line, run the following command: /usr/bin/sudo /usr/bin/defaults read /private/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57` LocationServicesEnabled If the result is "1" this is a finding.
This setting is enforced using the "Custom Policy" configuration profile. The setting "Enable Location Services" can be found in System Preferences >> Security & Privacy >> Privacy >> Location Services. Uncheck the box that says "Enable Location Services". It can also be set with the following command: /usr/bin/sudo /usr/bin/defaults write /private/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57` LocationServicesEnabled -bool false
To check if Bonjour multicast advertising has been disabled, run the following command: /usr/bin/sudo /usr/bin/defaults read /Library/Preferences/com.apple.mDNSResponder | /usr/bin/grep NoMulticastAdvertisements If an error is returned, nothing is returned, or "NoMulticastAdvertisements" is not set to "1", this is a finding.
To configure Bonjour to disable multicast advertising, run the following command: /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true The system will need to be restarted for the update to take effect.
To check if the UUCP service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.uucp If the results do not show the following, this is a finding: "com.apple.uucp" => true
To disable the UUCP service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.uucp The system may need to be restarted for the update to take effect.
To view the setting for Touch ID configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowFingerprintForUnlock If the output is null, not "allowFingerprintForUnlock = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To check if the CatalogURL is configured, run the following command: defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist CatalogURL 2017-11-30 22:21:41.805 defaults[1205:9595] The domain/default pair of (/Library/Preferences/com.apple.SoftwareUpdate.plist, CatalogURL) does not exist. If the output is not an error indicating the item "does not exist" or the output is not a DoD-approved update server, this is a finding. Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
To remove the Apple software list from the system configuration run the following command: sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate.plist CatalogURL
To check if the root account is disabled, run the following command: defaults read /var/db/dslocal/nodes/Default/users/root.plist passwd ( "*" ) The output should be a single asterisk in quotes, as seen above. If the output is as follow, this is a finding: ( "********" )
Disable the root account with the following command: /usr/sbin/dsenableroot -d
To check if the guest user exists, run the following command: dscl . list /Users | grep -i Guest To verify that Guest user cannot unlock volume, run the following command: fdesetup list To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(DisableGuestAccount | EnableGuestAccount)’ If the result is null or not: DisableGuestAccount = 1; EnableGuestAccount = 0; This is a finding.
Remove the guest user with the following command: sudo dscl . delete /Users/Guest "This can also be managed with "Login Window Policy" configuration profile.
To check if the "tfptd" service is disabled, run the following command: sudo launchctl print-disabled system | grep tftp If "com.apple.tftp" is not set to "true", this is a finding.
To disable the "tfpd" service, run the following command: sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist
To check if the "SkipSiriSetup" prompt is enabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipSiriSetup If the output is null or "SkipSiriSetup" is not set to "1", this is a finding.
This setting is enforced using the "Login Window" configuration profile.
To view the setting for the Back to My Mac configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudBTMM If the output is null or not "allowCloudBTMM = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To view the setting for the iCloud Keychain Synchronization configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudKeychainSync If the output is null or not "allowCloudKeychainSync = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To view the setting for the iCloud Document Synchronization configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudDocumentSync If the output is null or not "allowCloudDocumentSync = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To view the setting for the iCloud Bookmark Synchronization configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudBookmarks If the output is null or not "allowCloudBookmarks = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To check if the system has the correct setting in the configuration profile to disable access to the iCloud preference pane, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 DisabledPreferencePanes | grep icloud If the return is not “com.apple.preferences.icloud”, this is a CAT I finding. To view the setting for the iCloud Photo Library configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudPhotoLibrary If the output is null or not "allowCloudPhotoLibrary = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To view the setting for the iCloud Desktop And Documents configuration, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCloudDesktopAndDocuments If the output is null or not "allowCloudDesktopAndDocuments = 0" this is a finding.
This setting is enforced using the "Restrictions" configuration profile.
To check if SSH has root logins enabled, run the following command: /usr/bin/sudo /usr/bin/grep ^PermitRootLogin /etc/ssh/sshd_config If there is no result, or the result is set to "yes", this is a finding.
To ensure that "PermitRootLogin" is disabled by sshd, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
To check which protocol is configured for sshd, run the following: /usr/bin/sudo /usr/bin/grep ^Protocol /etc/ssh/sshd_config If there is no result or the result is not "Protocol 2", this is a finding.
To ensure that "Protocol 2" is used by sshd, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/ssh/sshd_config
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that passwords contain at least one numeric character: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep requireAlphanumeric If the result is null or is not “requireAlphanumeric = 1”, this is a finding. If password policy is set with the "pwpolicy utility", run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryPasswordContent</key>". If it does not exist, and password policy is not controlled by a directory service, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> that "matches" the variable "policyAttributePassword" to the regular expression "(.*[0-9].*){1,}+" or to a similar expression that will ensure the password contains a character in the range 0-9 one or more times. If this check allows users to create passwords without at least one numeric character, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>; then insert the following text after the opening <dict> tag and before the closing </dict> tag. The same text can also be used if the line "<key>policyCategoryPasswordContent</key>" is not present. <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> <key>policyIdentifier</key> <string>com.apple.policy.legacy.requiresNumeric</string> <key>policyParameters</key> <dict> <key>minimumNumericCharacters</key> <integer>1</integer> </dict> </dict> </array> If the file does contain policy settings, and the line "<key>policyCategoryPasswordContent</key>" does exist, insert the following text after the opening <array> tag that comes right after it: <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> <key>policyIdentifier</key> <string>com.apple.policy.legacy.requiresNumeric</string> <key>policyParameters</key> <dict> <key>minimumNumericCharacters</key> <integer>1</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that passwords contain at least one special character: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minComplexChars If the return is null or not ” minComplexChars = 1”, this is a finding. Run the following command to check if the system is configured to require that passwords not contain repeated sequential characters or characters in increasing and decreasing sequential order: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowSimple If "allowSimple" is not set to "0" or is undefined, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service.
To check the currently applied policies for passwords and accounts, use the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minLength If the return is null or not “minLength = 15”, this is a finding.
This setting is enforced using the "Passcode Policy" configuration profile. Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
To check if the "telnet" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.telnetd If the results do not show the following, this is a finding: "com.apple.telnetd" => true
To disable the "telnet" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.telnetd The system may need to be restarted for the update to take effect.
To check if the "ftp" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.ftpd If the results do not show the following, this is a finding: "com.apple.ftpd" => true
To disable the "ftp" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.ftpd The system may need to be restarted for the update to take effect.
Identify any unsigned applications that have been installed on the system: /usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -B 3 -A 4 -e "Obtained from: Unknown" | /usr/bin/grep -v -e "Location: /Library/Application Support/Script Editor/Templates" -e "Location: /System/Library/" | /usr/bin/awk -F "Location: " '{print $2}' | /usr/bin/sort -u If any results are returned and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify only applications with a valid digital signature are allowed to run: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(EnableAssessment | AllowIdentifiedDevelopers)’ If the return is null, or is not: AllowIdentifiedDevelopers = 1; EnableAssessment = 1; This is a finding.
This setting is enforced using the "Security and Privacy Policy" configuration profile.
The SSH daemon "ClientAliveInterval" option must be set correctly. To check the idle timeout setting for SSH sessions, run the following: /usr/bin/sudo /usr/bin/grep ^ClientAliveInterval /etc/ssh/sshd_config If the setting is not "900" or less, this is a finding.
To ensure that "ClientAliveInterval" is set correctly, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config
The SSH daemon "ClientAliveCountMax" option must be set correctly. To verify the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: /usr/bin/sudo /usr/bin/grep ^ClientAliveCountMax /etc/ssh/sshd_config If the setting is not "ClientAliveCountMax 0", this is a finding.
To ensure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config
The SSH daemon "LoginGraceTime" must be set correctly. To check the amount of time that a user can log on through SSH, run the following command: /usr/bin/sudo /usr/bin/grep ^LoginGraceTime /etc/ssh/sshd_config If the value is not set to "30" or less, this is a finding.
To ensure that "LoginGraceTime" is configured correctly, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config
To view a list of installed certificates, run the following command: /usr/bin/sudo /usr/bin/security dump-keychain | /usr/bin/grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.
Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from "/Applications/Utilities" to add certificates to the System Keychain.
To check if "FileVault 2" is enabled, run the following command: /usr/bin/sudo /usr/bin/fdesetup status If "FileVault" is "Off" and the device is a mobile device or the organization has determined that the drive must encrypt data at rest, this is a finding.
Open System Preferences >> Security and Privacy and navigate to the "FileVault" tab. Use this panel to configure full-disk encryption. Alternately, from the command line, run the following command to enable "FileVault": /usr/bin/sudo /usr/bin/fdesetup enable After "FileVault" is initially set up, additional users can be added.
Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved tool capable of continuous scanning is loaded on the system. The recommended system is the McAfee HBSS. If no such tool is installed on the system, this is a finding.
Install an approved HBSS solution onto the system.
If an approved HBSS DCM/DLP solution is installed, this is not applicable. To verify external USB drives are disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 3 harddisk-external If the result is not “harddisk-external" = ( eject, alert );”, this is a finding.
This setting is enforced using the "Restrictions Policy" configuration profile.
If iTunes file sharing is enabled, unauthorized disclosure could occur. To verify that iTunes file sharing is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowiTunesFileSharing If the result is null or is not “allowiTunesFileSharing = 0”, this is a finding
This setting is enforced using the “Restrictions Policy" configuration profile.
To check if the system is configured to automatically log on, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAutoLoginClient If "com.apple.login.mcx.DisableAutoLoginClient" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
To check if the logon window is configured to prompt for user name and password, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SHOWFULLNAME If there is no result, or "SHOWFULLNAME" is not set to "1", this is a finding.
This setting is enforced using the "Login Window Policy" configuration profile.
If HBSS is used, this is not applicable. To check if the macOS firewall has logging enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep on If the result does not show "on", this is a finding.
To enable the firewall logging, run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
To check if the Bluetooth Remote Wake setting is disabled, run the following two commands as the primary user: /usr/bin/defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled /usr/bin/defaults read /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`.plist RemoteWakeEnabled If there is an error or nothing is returned, or the return value is "1" for either command, this is a finding.
Manually change this control on the computer by opening System Preferences >> Bluetooth. Click "Advanced" and ensure the "Allow Bluetooth devices to wake this computer" is not checked. This control is not necessary if Bluetooth has been completely disabled. The following can be run from the command line to disable "Remote Wake" for the current user: /usr/bin/defaults write /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57`.plist RemoteWakeEnabled 0
To check if Bluetooth Sharing is enabled, open System Preferences >> Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding. The following command can be run from the command line: /usr/bin/defaults read /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`.plist PrefKeyServicesEnabled If there is an error or nothing is returned, or the return value is "1", this is a finding.
To disable Bluetooth Sharing, open System Preferences >> Sharing and uncheck the box next to "Bluetooth Sharing". This control is not necessary if Bluetooth has been completely disabled. The following can be run from the command line to disable "Bluetooth Sharing" for the current user: /usr/bin/defaults write /Users/`whoami`/Library/Preferences/ByHost/com.apple.Bluetooth.`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57`.plist PrefKeyServicesEnabled 0
To check if Remote Apple Events is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.AEServer If the results do not show the following, this is a finding. "com.apple.AEServer" => true
To disable Remote Apple Events, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.AEServer The system may need to be restarted for the update to take effect.
To check if the "tty_tickets" option is set for "/usr/bin/sudo", run the following command: /usr/bin/sudo /usr/bin/grep tty_tickets /etc/sudoers If there is no result, this is a finding.
Edit the "/etc/sudoers" file to contain the line: Defaults tty_tickets This line can be placed in the defaults section or at the end of the file.
If an approved HBSS solution is installed, this is not applicable. To check if the macOS firewall has been enabled, run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is "disabled", this is a finding.
To enable the firewall, run the following command: /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
To display all directories that are writable by all and not owned by "root", run the following command: /usr/bin/sudo find / -type d -perm +o+w -not -uid 0 If anything is returned, and those directories are not owned by root or application account, this is a finding.
To change the ownership of any finding, run the following command: /usr/bin/sudo find / -type d -perm +o+w -not -uid 0 -exec chown root {} \;
To check if the "finger" service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.fingerd If the results do not show the following, this is a finding: "com.apple.fingerd" => true
To disable the "finger" service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.fingerd The system may need to be restarted for the update to take effect.
Run the following command to view all world-writable directories that do not have the "sticky bit" set: /usr/bin/sudo /usr/bin/find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.
Run the following command to set the "sticky bit" on all world-writable directories: /usr/bin/sudo /usr/bin/find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;
To check if the system is configured to skip cloud setup, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SkipCloudSetup If “SkipCloudSetup" is not set to "1", this is a finding. To check if the prompt for "Apple ID" and "iCloud" are disabled for new users, run the following command: /usr/bin/sudo /usr/bin/defaults read /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant If there is no result, if it prints out that the domain "does not exist", or the results do not include "DidSeeCloudSetup = 1 AND LastSeenCloudProductVersion = 10.12", this is a finding.
This setting is enforced using the “Login Window Policy" configuration profile.
To see if any user account has configured an Apple ID for iCloud usage, run the following command: /usr/bin/sudo find /Users/ -name 'MobileMeAccounts.plist' -exec /usr/bin/defaults read '{}' \; If the results show any accounts listed, this is a finding.
This must be resolved manually. With the affected user logged on, open System Preferences >> iCloud. Choose "Sign Out".
To check if iTunes Music Sharing is disabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep disableSharedMusic If the return is null or does not contain “disableSharedMusic = 1” this is a finding.
This setting is enforced using the "Custom Policy" configuration profile.
If available, provide a list of "setuids" provided by a vendor. To list all of the files with the "setuid" bit set, run the following command to send all results to a file named "suidfilelist": /usr/bin/sudo find / -perm -4000 -exec /bin/ls -ldb {} \; > suidfilelist If any of the files listed are not documented as needing to have the "setuid" bit set by the vendor, this is a finding.
Document all of the files with the "setuid" bit set. Remove any undocumented files.
To check if the system is configured to accept "source-routed" packets, run the following command: sysctl net.inet.ip.accept_sourceroute If the value is not "0", this is a finding.
To configure the system to not accept "source-routed" packets, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.accept_sourceroute=0
To check if the system is configured to ignore "ICMP redirect" messages, run the following command: sysctl net.inet.icmp.drop_redirect If the value is not "1", this is a finding.
To configure the system to ignore "ICMP redirect" messages, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.icmp.drop_redirect=1
To check if "IP forwarding" is enabled, run the following command: sysctl net.inet.ip.forwarding If the values are not "0", this is a finding.
To configure the system to disable "IP forwarding", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.forwarding=0
To check if "IP forwarding" is enabled, run the following command: sysctl net.inet6.ip6.forwarding If the values are not "0", this is a finding.
To configure the system to disable "IP forwarding", add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet6.ip6.forwarding=0
To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet.ip.redirect If the values are not set to "0", this is a finding.
To configure the system to not send ICMP redirects, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.redirect=0
To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet6.ip6.redirect If the values are not set to "0", this is a finding.
To configure the system to not send ICMP redirects, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet6.ip6.redirect=0
To check if the system is configured to forward source-routed packets, run the following command: sysctl net.inet.ip.sourceroute If the value is not set to "0", this is a finding.
To configure the system to not forward source-routed packets, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.ip.sourceroute=0
To check if the system is configured to process ICMP timestamp requests, run the following command: sysctl net.inet.icmp.timestamp If the value is not set to "0", this is a finding.
To disable ICMP timestamp responses, add the following line to "/etc/sysctl.conf", creating the file if necessary: net.inet.icmp.timestamp=0
To list the network devices that are enabled on the system, run the following command: /usr/bin/sudo /usr/sbin/networksetup -listallnetworkservices A disabled device will have an asterisk in front of its name. If any listed device that is not in use is missing this asterisk, this is a finding.
To disable a network device, run the following command, substituting the name of the device in place of "'<networkservice>'": /usr/bin/sudo /usr/sbin/networksetup -setnetworkserviceenabled '<networkservice>' off
To check if Internet Sharing is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.NetworkSharing If the results do not show the following, this is a finding: "com.apple.NetworkSharing" => true
To disable Internet Sharing, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.NetworkSharing The system may need to be restarted for the update to take effect.
To check if Web Sharing is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep org.apache.httpd If the results do not show the following, this is a finding: "org.apache.httpd" => true
To disable Web Sharing, run the following command: /usr/bin/sudo /bin/launchctl disable system/org.apache.httpd The system may need to be restarted for the update to take effect.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the logon reset timer: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep minutesUntilFailedLoginReset If the return is null or not “minutesUntilFailedLoginReset = 15”, this is a finding. If password policy is set with the "pwpolicy" utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory service, this is a finding. In the array that follows, there should be one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. The following two lines within the configuration enforce lockout expiration to "15" minutes: <key>autoEnableInSeconds</key> <integer>900</integer> To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the number of permitted failed logon attempts: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxFailedAttempts If the return is null, or not, “maxFailedAttempts = 3”, this is a finding. If password policy is set with the "pwpolicy" utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory service, this is a finding. In the array that follows, there should be one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its policyParameters section. If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line <key>policyCategoryAuthentication</key> already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration or bugs in OS X may block password change and local user creation operations, as well as lock out all local users, including administrators.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system has the correct setting for the number of permitted failed logon attempts and the logon reset timer: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'maxFailedAttempts\|minutesUntilFailedLoginReset' If "maxFailedAttempts" is not set to "3" and "minutesUntilFailedLoginReset" is not set to "15", this is a finding. If password policy is set with the "pwpolicy" utility, the variable names may vary depending on how the policy was set. To check if the password policy is configured to disable an account for 15 minutes after 3 unsuccessful logon attempts, run the following command to output the password policy to the screen: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryAuthentication</key>". If this does not exist, and password policy is not controlled by a directory service, this is a finding. In the array that follows, there should be one or more <dict> sections that describe policy checks. One should contain a <string> that allows users to log on if "policyAttributeFailedAuthentications" is less than "policyAttributeMaximumFailedAuthentications". Under policyParameters, "policyAttributeMaximumFailedAuthentications" should be set to "3". If "policyAttributeMaximumFailedAuthentications" is not set to "3", this is a finding. In the same check or in another <dict> section, there should be a <string> that allows users to log on if the "policyAttributeCurrentTime" is greater than the result of adding "15" minutes (900 seconds) to "policyAttributeLastFailedAuthenticationTime". The check might use a variable defined in its "policyParameters" section. If the check does not exist or if the check adds too great an amount of time, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor and ensure it contains the following text after the opening <dict> tag and before the closing </dict> tag. Replace <dict/> first with <dict></dict> if necessary. <key>policyCategoryAuthentication</key> <array> <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> </array> If the line "<key>policyCategoryAuthentication</key>" already exists, the following text should be used instead and inserted after the first <array> tag that follows it: <dict> <key>policyContent</key> <string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> <key>policyIdentifier</key> <string>Authentication Lockout</string> <key>policyParameters</key> <dict> <key>autoEnableInSeconds</key> <integer>900</integer> <key>policyAttributeMaximumFailedAuthentications</key> <integer>3</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration or bugs in OS X may block password change and local user creation operations, as well as lock out all local users, including administrators.
To view the setting for the audit control system, run the following command: sudo /usr/bin/grep ^policy /etc/security/audit_control | /usr/bin/grep ahlt If there is no result, this is a finding.
Edit the "/etc/security/audit_control file" and change the value for policy to include the setting "ahlt". To do this programmatically, run the following command: sudo /usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; sudo /usr/sbin/audit -s
Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved antivirus solution is loaded on the system. The antivirus solution may be bundled with an approved host-based security solution. If there is no local antivirus solution installed on the system, this is a finding.
Install an approved antivirus solution onto the system.
To check if AirDrop has been disabled, run the following command: sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep DisableAirDrop If the result is not "DisableAirDrop = 1", this is a finding.
Disabling AirDrop is enforced using the "Restrictions Policy" configuration profile.
To determine if the system is integrated to a directory service, ask the System Administrator (SA) or Information System Security Officer (ISSO) or run the following command: /usr/bin/sudo dscl localhost -list . | /usr/bin/grep -vE '(Contact | Search | Local)' If nothing is returned, or if the system is not integrated into a directory service infrastructure, this is a finding.
Integrate the system into an existing directory services infrastructure.
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require users to change their passwords every 60 days: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxPINAgeInDays If the return is null, or is not “maxPINAgeInDays = 60” or set to a smaller value, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line <key>policyCategoryPasswordChange</key>. If it does not exist, and password policy is not controlled by a directory service, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> that compares the variable "policyAttributeLastPasswordChangeTime" to the variable "policyAttributeCurrentTime". It may contain additional variables defined in the "policyParameters" section that follows it. All comparisons are done in seconds. If this check allows users to log in with passwords older than "60" days, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. If there already is a policy block that refers to password expiration, ensure it is set to "60" days. If the line "<key>policyCategoryPasswordChange</key>" is not present in the file, add the following text immediately after the opening <dict> tag in the file: <key>policyCategoryPasswordChange</key> <array> <dict> <key>policyContent</key> <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Password Change Interval</string> <key>policyParameters</key> <dict> <key>policyAttributeExpiresEveryNDays</key> <integer>60</integer> </dict> </dict> </array> If the line "<key>policyCategoryPasswordChange</key>" is already present in the file, the following text should be added just after the opening <array> tag that follows the line instead: <dict> <key>policyContent</key> <string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Password Change Interval</string> <key>policyParameters</key> <dict> <key>policyAttributeExpiresEveryNDays</key> <integer>60</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
Password policy can be set with the "Password Policy" configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that users cannot reuse one of their five previously used passwords: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory If the return in null or not “pinHistory = 5” or greater, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line "<key>policyCategoryPasswordContent</key>". If it does not exist, and password policy is not controlled by a directory service, this is a finding. Otherwise, in the array section that follows it, there should be a <dict> section that contains a check <string> such as "<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>". This searches for the hash of the user-entered password in the list of previous password hashes. In the "policyParameters" section that follows it, "policyAttributePasswordHistoryDepth" must be set to "5" or greater. If this parameter is not set to "5" or greater, or if no such check exists, this is a finding.
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. If there already is a policy block that refers to password history, ensure it is set to "5". If the line "<key>policyCategoryPasswordContent</key>" is not present in the file, add the following text immediately after the opening <dict> tag in the file: <key>policyCategoryPasswordContent</key> <array> <dict> <key>policyContent</key> <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> <key>policyIdentifier</key> <string>Password History</string> <key>policyParameters</key> <dict> <key>policyAttributePasswordHistoryDepth</key> <integer>5</integer> </dict> </dict> </array> If the line "<key>policyCategoryPasswordContent</key>" is already present in the file, the following text should be added just after the opening <array> tag that follows the line instead: <dict> <key>policyContent</key> <string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> <key>policyIdentifier</key> <string>Password History</string> <key>policyParameters</key> <dict> <key>policyAttributePasswordHistoryDepth</key> <integer>5</integer> </dict> </dict> After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
Log files are controlled by "newsyslog" and "aslmanager". These commands check for log files that exist on the system and print out the log with corresponding ownership. Run them from inside "/var/log": /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo stat -f '%Su:%Sg:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null If there are any system log files that are not owned by "root" and group-owned by "wheel" or admin, this is a finding. Service logs may be owned by the service user account or group.
For any log file that returns an incorrect owner or group value, run the following command: /usr/bin/sudo chown root:wheel [log file] [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and ensure that the owner:group column is set to "root:wheel" or the appropriate service user account and group. If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and ensure that "uid" and "gid" options are either not present or are set to a service user account and group respectively.
These commands check for log files that exist on the system and print out the log with corresponding permissions. Run them from inside "/var/log": /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null The correct permissions on log files should be "640" or less permissive for system logs. Any file with more permissive settings is a finding.
For any log file that returns an incorrect permission value, run the following command: /usr/bin/sudo chmod 640 [log file] [log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive. If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive.
These commands check for log files that exist on the system and print out the list of ACLs if there are any. /usr/bin/sudo ls -ld@ $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null /usr/bin/sudo ls -ld@ $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null ACLs will be listed under any file that may contain them (i.e., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If any system log file contains this information, this is a finding.
For any log file that returns an ACL, run the following command: /usr/bin/sudo chmod -N [log file] [log file] is the full path to the log file in question.
To view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file. If "fm", "-fr", and "-fw" are not listed in the result of the check, this is a finding.
To set the audit flags to the recommended setting, run the following command to add the flags "fm", "-fr", and "-fw" all at once: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
To check if support for session locking with removal of a token is enabled, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction = 1;" If there is no result, this is a finding.
This is now in the smartcard payload. <key>tokenRemovalAction</key> <integer>1</integer>
To view the setting for the smartcard certification configuration, run the following command: sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep checkCertificateTrust If the output is null or not "checkCertificateTrust = 1;" this is a finding.
This setting is enforced using the "Smartcard" configuration profile.
To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 5 familyControlsEnabled | grep “/Users" If the result is null, or does not contain “/Users/“, this is a finding
This setting is enforced using the "Restrictions Policy" configuration profile.
If SSH is not being used, this is Not Applicable. Inspect the "Ciphers" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. # /usr/bin/grep "^Ciphers" /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.
Configure SSH to use secure cryptographic algorithms. To ensure that "Ciphers" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''Ciphers aes256-ctr,aes192-ctr,aes128-ctr'$'\n' /etc/ssh/sshd_config The SSH service must be restarted for changes to take effect.
If SSH is not being used, this is Not Applicable. Inspect the "MACs" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. /usr/bin/grep "^Macs" /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the example above, or the "MACs" keyword is missing, this is a finding.
Configure SSH to use secure Keyed-Hash Message Authentication Codes. To ensure that "MACs" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''MACs hmac-sha2-512,hmac-sha2-256'$'\n' /etc/ssh/sshd_config The SSH service must be restarted for changes to take effect.
If SSH is not being used, this is Not Applicable. Inspect the "KexAlgorithms" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. /usr/bin/grep "^KexAlgorithms" /etc/ssh/sshd_config KexAlgorithms diffie-hellman-group-exchange-sha256 If any algorithm other than "diffie-hellman-group-exchange-sha256" is listed or the "KexAlgorithms" keyword is missing, this is a finding.
Configure SSH to use a secure Key Exchange Algorithm. To ensure that "KexAlgorithms" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^KexAlgorithms.*
To check if the Screen Sharing service is disabled, use the following command: /usr/bin/sudo /bin/launchctl print-disabled system | /usr/bin/grep com.apple.screensharing If the results do not show the following, this is a finding: "com.apple.screensharing" => true
To disable the Screen Sharing service, run the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing The system may need to be restarted for the update to take effect.