Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Apple OS X 10.8 (Mountain Lion) Workstation STIG

V1R2 · · · Released 24 Apr 2015 · 205 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Apple OS X 10.8 (Mountain Lion) Workstation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Sort by
b
The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.
AC-2 - Medium - CCI-000016 - V-51195 - SV-65405r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000016
Version
OSX8-00-00110
Vuln IDs
  • V-51195
Rule IDs
  • SV-65405r1_rule
When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.
Checks: C-53577r1_chk

If a temporary user has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

Fix: F-56003r1_fix

To set an expiration date for a temporary account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

b
The login window must be configured to prompt for username and password, rather than show a list of users.
CM-6 - Medium - CCI-000366 - V-51231 - SV-65441r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00930
Vuln IDs
  • V-51231
Rule IDs
  • SV-65441r1_rule
The login window must be configured to prompt for username and password, rather than show a list of users.
Checks: C-53579r1_chk

To check if the login window is configured to prompt for user name and password, run the following command: system_profiler SPConfigurationProfileDataType | grep SHOWFULLNAME | awk '{ print $3 }' | sed 's/;//' If this setting is not defined, or not set to "1", this is a finding.

Fix: F-56031r1_fix

This is enforced using a configuration profile.

b
The ability for administrative accounts to unlock Screen Saver must be disabled.
CM-6 - Medium - CCI-000366 - V-51233 - SV-65443r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00935
Vuln IDs
  • V-51233
Rule IDs
  • SV-65443r1_rule
The ability for administrative accounts to unlock Screen Saver must be disabled.
Checks: C-53581r2_chk

To check the setting for authentication to unlock the screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "print :rights:system.login.screensaver:rule" /etc/authorization If the result is not "authenticate-session-owner" this is a finding.

Fix: F-56033r1_fix

To disable the ability for an administrator to unlock a screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "set :rights:system.login.screensaver:rule authenticate-session-owner" /etc/authorization

b
All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed.
CM-6 - Medium - CCI-000366 - V-51235 - SV-65445r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00980
Vuln IDs
  • V-51235
Rule IDs
  • SV-65445r1_rule
All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed.
Checks: C-53583r1_chk

To check the permissions and ownership of the system files, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

Fix: F-56035r1_fix

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

b
User home directories must not have extended ACLs.
CM-6 - Medium - CCI-000366 - V-51237 - SV-65447r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00985
Vuln IDs
  • V-51237
Rule IDs
  • SV-65447r1_rule
User home directories must not have extended ACLs.
Checks: C-53585r1_chk

To check if the Users home directory has any extended ACLs, run the following command: ls -al /Users Any of the folders that contain a "+" character in the permissions is a finding.

Fix: F-56037r1_fix

To remove ACLs from a folder, run the following command: sudo chmod -R -N /Users/[username] Where [username] is the folder that contains ACLs.

b
Device files and directories must only be writable by users with a system account or as configured by the vendor.
CM-6 - Medium - CCI-000366 - V-51239 - SV-65449r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00990
Vuln IDs
  • V-51239
Rule IDs
  • SV-65449r1_rule
Device files and directories must only be writable by users with a system account or as configured by the vendor.
Checks: C-53587r1_chk

To view the list of device files that are on the system, run the following command: sudo find / -perm -2 -a \( -type b -o -type c \) Check the permissions on the directories above subdirectories of the returned items. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding.

Fix: F-56039r1_fix

To remove the writable option for other users, run the following command: sudo chmod o-w [path to device file]

c
The sudoers file must be configured to authenticate users on a per-tty basis.
CM-6 - High - CCI-000366 - V-51241 - SV-65451r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
OSX8-00-00995
Vuln IDs
  • V-51241
Rule IDs
  • SV-65451r1_rule
Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits authorization to the terminal in which authentication occurred.
Checks: C-53589r1_chk

To check if the tty_tickets option is set for sudo, run the following command: sudo grep tty_tickets /etc/sudoers If there is no result, this is a finding.

Fix: F-56041r1_fix

Edit the /etc/sudoers file to contain the line "Defaults tty_tickets"

c
The sudoers file must be configured to require authentication on every use.
CM-6 - High - CCI-000366 - V-51243 - SV-65453r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
OSX8-00-01000
Vuln IDs
  • V-51243
Rule IDs
  • SV-65453r1_rule
Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits the use of the sudo command to a single command per authentication.
Checks: C-53591r1_chk

To check the timestamp_timeout value, run the following command : sudo grep timestamp_timeout /etc/sudoers If this setting is not defined, or defined for a value other than "0", this is a finding.

Fix: F-56043r1_fix

Edit the /etc/sudoers file to contain the line "Defaults timestamp_timeout=0"

b
All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.
CM-6 - Medium - CCI-000366 - V-51245 - SV-65455r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01005
Vuln IDs
  • V-51245
Rule IDs
  • SV-65455r1_rule
All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is not a member.
Checks: C-53593r1_chk

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not group-owned by a group that a user is not a member of, this is a finding.

Fix: F-56045r1_fix

To change the group-ownership of the home directory and files, run the following command: sudo chgrp -R [group] /Users/username

b
All files and directories contained in interactive user home directories must be owned by the home directorys owner.
CM-6 - Medium - CCI-000366 - V-51247 - SV-65457r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01010
Vuln IDs
  • V-51247
Rule IDs
  • SV-65457r1_rule
All files and directories contained in interactive user home directories must be owned by the home directory's owner.
Checks: C-53595r1_chk

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not owned by the user, this is a finding.

Fix: F-56047r1_fix

To change the ownership of the files and directories to the owner of the home directory, run the following command: sudo chown -R username /Users/username

b
The default global umask setting must be changed for user applications.
CM-6 - Medium - CCI-000366 - V-51249 - SV-65459r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01015
Vuln IDs
  • V-51249
Rule IDs
  • SV-65459r1_rule
The default global umask setting must be changed for user applications.
Checks: C-53597r1_chk

To view the umask setting, run the following command: awk '{ print $2 }' /etc/launchd-user.conf If the command produces an error, or the result is not "027", this is a finding.

Fix: F-56049r1_fix

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 027' > /etc/launchd-user.conf"

b
The default global umask setting must be changed for system processes.
CM-6 - Medium - CCI-000366 - V-51251 - SV-65461r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01020
Vuln IDs
  • V-51251
Rule IDs
  • SV-65461r1_rule
The default global umask setting must be configured correctly for system processes.
Checks: C-53599r1_chk

To view the umask setting, run the following command: umask If the setting is not "022", this is a finding.

Fix: F-56051r1_fix

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 022' > /etc/launchd.conf"

b
Local logging must be enabled.
CM-6 - Medium - CCI-000366 - V-51253 - SV-65463r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01025
Vuln IDs
  • V-51253
Rule IDs
  • SV-65463r1_rule
Local logging must be enabled.
Checks: C-53601r1_chk

To check if the newsyslog daemon is disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.newsyslog Disabled If the result shows a "1", this is a finding.

Fix: F-56053r1_fix

To ensure that the newsyslog daemon is not disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/com.apple.newsyslog Disabled -bool FALSE

b
Newsyslog must be correctly configured to rotate log files.
CM-6 - Medium - CCI-000366 - V-51255 - SV-65465r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01030
Vuln IDs
  • V-51255
Rule IDs
  • SV-65465r1_rule
Newsyslog needs to be correctly configured to rotate log files.
Checks: C-53603r1_chk

To view the settings for the log file rotation, run the following command: sudo grep -v "^#" /etc/newsyslog.conf The third column is the number of files to keep in rotation. If this is not set to the correct value for the organization, this is a finding.

Fix: F-56055r1_fix

Edit the /etc/newsyslog.conf file to configure the correct values.

b
Administrator accounts must be created with difficult-to-guess names.
CM-6 - Medium - CCI-000366 - V-51257 - SV-65467r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01035
Vuln IDs
  • V-51257
Rule IDs
  • SV-65467r1_rule
Administrator accounts must be created with difficult-to-guess names.
Checks: C-53605r1_chk

To list all of the administrator accounts on the system, run the following command: sudo dscl . -read /Groups/admin GroupMembership If any of the resulting accounts contain easy-to-guess names, this is a finding. An example of an easy to guess name would contain "admin" or "administrator".

Fix: F-56057r1_fix

Rename any accounts on the system that contain easy to guess names.

b
The system must not use .forward files.
CM-6 - Medium - CCI-000366 - V-51259 - SV-65469r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01040
Vuln IDs
  • V-51259
Rule IDs
  • SV-65469r1_rule
The system must not use .forward files.
Checks: C-53607r1_chk

To check if the system contains any ".forward" files, run the following command: find / -name .forward -print If anything is returned, this is a finding.

Fix: F-56059r1_fix

To remove any ".forward" files from the system, run the following command: find / -name .forward -exec rm {} \;

b
Active Directory Access must be securely configured to sign all packets.
CM-6 - Medium - CCI-000366 - V-51261 - SV-65471r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01045
Vuln IDs
  • V-51261
Rule IDs
  • SV-65471r1_rule
Active Directory Access must be securely configured to sign all packets.
Checks: C-53609r1_chk

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet Signing option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

Fix: F-56061r1_fix

To set the Active Directory configuration to require signing of packets, run the following command: sudo dsconfigad -packetsign require

b
Active Directory Access must be securely configured to encrypt all packets.
CM-6 - Medium - CCI-000366 - V-51263 - SV-65473r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01050
Vuln IDs
  • V-51263
Rule IDs
  • SV-65473r1_rule
Active Directory Access must be securely configured to encrypt all packets.
Checks: C-53611r1_chk

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet encryption option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

Fix: F-56063r1_fix

To set the Active Directory configuration to require encryption of packets, run the following command: sudo dsconfigad -packetencrypt require

a
iTunes Store must be disabled.
CM-6 - Low - CCI-000366 - V-51265 - SV-65475r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01055
Vuln IDs
  • V-51265
Rule IDs
  • SV-65475r1_rule
iTunes Store must be disabled.
Checks: C-53613r1_chk

To check if the iTunes store is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableMusicStore | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

Fix: F-56065r1_fix

This can be enforced using a configuration profile.

b
An Emergency Administrator Account must be created.
CM-6 - Medium - CCI-000366 - V-51267 - SV-65477r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01060
Vuln IDs
  • V-51267
Rule IDs
  • SV-65477r1_rule
An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location. This emergency account should have a UID less than "500", and be hidden from view.
Checks: C-53615r1_chk

To check to see if UIDs below "500" are hidden, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow Hide500Users If the result is not "1", this is a finding.

Fix: F-56067r1_fix

To hide user accounts below "500", run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

b
The root account must be the only account having a UID of 0.
CM-6 - Medium - CCI-000366 - V-51269 - SV-65479r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01065
Vuln IDs
  • V-51269
Rule IDs
  • SV-65479r1_rule
The root account must be the only account having a UID of "0".
Checks: C-53617r1_chk

To list all of the accounts with a UID of "0", run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not "1", this is a finding.

Fix: F-56069r1_fix

Investigate as to why any additional accounts were set up with a UID of "0".

a
Finder must be set to always empty Trash securely.
CM-6 - Low - CCI-000366 - V-51271 - SV-65481r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01075
Vuln IDs
  • V-51271
Rule IDs
  • SV-65481r1_rule
Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.
Checks: C-53619r1_chk

To check that the finder will only present the option to securely empty trash run the following command as the primary user: system_profiler SPConfigurationProfileDataType | grep EmptyTrashSecurely | awk '{ print $3 }' | sed 's/;//' If the result does not return a setting, or the setting is not "1", this is a finding.

Fix: F-56071r1_fix

This should be enforced by a configuration profile.

b
The application firewall must be enabled.
CM-6 - Medium - CCI-000366 - V-51273 - SV-65483r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01080
Vuln IDs
  • V-51273
Rule IDs
  • SV-65483r1_rule
The application firewall must be enabled.
Checks: C-53621r1_chk

To check if the OS X firewall has been enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is not enabled, this is a finding.

Fix: F-56073r1_fix

To enable the firewall run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

b
The system must not be allowed to restart after a power failure.
CM-6 - Medium - CCI-000366 - V-51275 - SV-65485r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01090
Vuln IDs
  • V-51275
Rule IDs
  • SV-65485r1_rule
The system must not be allowed to restart after a power failure.
Checks: C-53623r2_chk

To check if the system is configured to restart automatically after a power loss, run the following command: system_profiler SPConfigurationProfileDataType | grep "Automatic Restart On Power Loss" | awk '{ print $7 }' | sed 's/;//' If the result is not "0", this is a finding.

Fix: F-56075r1_fix

This is enforced using a configuration profile.

b
Fast User Switching must be disabled.
CM-6 - Medium - CCI-000366 - V-51277 - SV-65487r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01100
Vuln IDs
  • V-51277
Rule IDs
  • SV-65487r1_rule
Fast User Switching must be disabled.
Checks: C-53625r1_chk

To check if Fast User Switching is enabled, run the following command: system_profiler SPConfigurationProfileDataType | grep MultipleSessionEnabled | awk '{ print $3 }' | sed 's/;//' If the setting is not "0", this is a finding.

Fix: F-56077r1_fix

This is enforced using a configuration profile.

b
Kernel core dumps must be disabled unless needed.
CM-6 - Medium - CCI-000366 - V-51279 - SV-65489r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01105
Vuln IDs
  • V-51279
Rule IDs
  • SV-65489r1_rule
Kernel core dumps must be disabled unless needed.
Checks: C-53627r1_chk

To check if kernel core dumps are enabled, run the following command: sudo sysctl kern.coredump | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56079r1_fix

Edit the /etc/sysctl.conf file to include the following line: kern.coredump=0

b
All public directories must be owned by root or an application account.
CM-6 - Medium - CCI-000366 - V-51281 - SV-65491r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01110
Vuln IDs
  • V-51281
Rule IDs
  • SV-65491r1_rule
All public directories must be owned by root or an application account.
Checks: C-53629r1_chk

To display all directories that are writable by all, run the following command: sudo find / -type d -perm -1002 -not -uid 0 If anything is returned, this is a finding.

Fix: F-56081r1_fix

To change the ownership of any finding, run the following command: sudo find / -type d -perm -1002 -not -uid 0 -exec chown root {} \;

b
The system must not have the finger service active.
CM-6 - Medium - CCI-000366 - V-51283 - SV-65493r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01115
Vuln IDs
  • V-51283
Rule IDs
  • SV-65493r1_rule
The system must not have the finger service active.
Checks: C-53631r2_chk

To check if the finger service has been disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.fingerd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56083r1_fix

To ensure that the finger service is disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.fingerd" -dict Disabled -bool true

b
The sticky bit must be set on all public directories.
CM-6 - Medium - CCI-000366 - V-51285 - SV-65495r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01120
Vuln IDs
  • V-51285
Rule IDs
  • SV-65495r2_rule
The sticky bit must be set on all public directories.
Checks: C-53633r2_chk

Run the following command to view all world-writable directories that do not have the sticky bit set: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.

Fix: F-56085r1_fix

Run the following command to set the sticky bit on all world-writable directories: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;

b
The prompt for Apple ID and iCloud must be disabled.
CM-6 - Medium - CCI-000366 - V-51287 - SV-65497r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01125
Vuln IDs
  • V-51287
Rule IDs
  • SV-65497r1_rule
The prompt for Apple ID and iCloud must be disabled.
Checks: C-53635r1_chk

To check if the prompt for Apple ID and iCloud are disabled for new users, run the following command: sudo defaults read /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant If there is no result, or the results do not include "DidSeeCloudSetup = 1 AND LastSeenCloudProductVersion = 10.8", this is a finding.

Fix: F-56087r1_fix

To ensure that the prompt for Apple ID and iCloud is disabled, run the following commands: sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE; sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.8"

b
Users must not have Apple IDs signed into iCloud.
CM-6 - Medium - CCI-000366 - V-51289 - SV-65499r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01130
Vuln IDs
  • V-51289
Rule IDs
  • SV-65499r1_rule
Users should not have Apple ID's signed into iCloud.
Checks: C-53637r1_chk

To see if any user account has configured an Apple ID for iCloud usage, run the following command: sudo find /Users/ -name "MobileMeAccounts.plist" -exec defaults read '{}' \; If the results show any accounts listed, this is a finding.

Fix: F-56089r1_fix

This must be manually resolved. With the affected user logged in, open System Preferences->iCloud. Choose "Sign Out".

a
Spotlight Panel must be securely configured.
CM-6 - Low - CCI-000366 - V-51291 - SV-65501r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01135
Vuln IDs
  • V-51291
Rule IDs
  • SV-65501r1_rule
Spotlight Panel must be securely configured.
Checks: C-53639r1_chk

To view the folders that are excluded by Spotlight, run the following command: sudo defaults read /.Spotlight-V100/VolumeConfiguration.plist Exclusions If there are no results, or the results don't meet the organizations requirements, this is a finding.

Fix: F-56091r1_fix

To add exclusions to the spotlight search, open up System Preferences->Spotlight, and add the folders to the Privacy tab to prevent Spotlight from searching those locations.

a
iTunes Music Sharing must be disabled.
CM-6 - Low - CCI-000366 - V-51293 - SV-65503r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01140
Vuln IDs
  • V-51293
Rule IDs
  • SV-65503r1_rule
iTunes Music Sharing must be disabled.
Checks: C-53641r1_chk

To check if the iTunes music sharing is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableSharedMusic | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

Fix: F-56093r1_fix

This can be enforced using a configuration profile.

b
All setuid executables on the system must be vendor-supplied.
CM-6 - Medium - CCI-000366 - V-51295 - SV-65505r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01145
Vuln IDs
  • V-51295
Rule IDs
  • SV-65505r1_rule
All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs allowing reading and writing of files, or shell escapes. Only default vendor-supplied executables should have the setuid bit set.
Checks: C-53643r1_chk

To list all of the files with the setuid bit set, run the following command: sudo find / -perm 4000 -exec ls -ldb {} \; If any of the files listed are not documented as needing to have the setuid bit set by the vendor, this is a finding

Fix: F-56095r1_fix

Document all of the files with the setuid bit set.

a
iTunes Radio must be disabled.
CM-6 - Low - CCI-000366 - V-51297 - SV-65507r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01150
Vuln IDs
  • V-51297
Rule IDs
  • SV-65507r1_rule
iTunes Radio must be disabled.
Checks: C-53645r1_chk

To check if the iTunes radio is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableRadio | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

Fix: F-56097r1_fix

This can be enforced using a configuration profile.

a
iTunes Podcasts must be disabled.
CM-6 - Low - CCI-000366 - V-51299 - SV-65509r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
OSX8-00-01155
Vuln IDs
  • V-51299
Rule IDs
  • SV-65509r1_rule
iTunes Podcasts must be disabled.
Checks: C-53647r1_chk

To check if the iTunes podcasts are disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disablePodcasts | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

Fix: F-56099r1_fix

This can be enforced using a configuration profile.

b
Unnecessary packages must not be installed.
CM-6 - Medium - CCI-000366 - V-51301 - SV-65511r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01165
Vuln IDs
  • V-51301
Rule IDs
  • SV-65511r1_rule
Unnecessary packages must not be installed.
Checks: C-53649r1_chk

To view a list of packages and applications installed on the system, run the following command: sudo pkgutil / --pkgs If any of the packages listed are not required for proper operation of the system, this is a finding.

Fix: F-56101r1_fix

If there are any unnecessary packages installed on the system, verify any dependencies and remove those not required.

b
The centralized process core dump data directory must be owned by root.
CM-6 - Medium - CCI-000366 - V-51303 - SV-65513r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01175
Vuln IDs
  • V-51303
Rule IDs
  • SV-65513r1_rule
The centralized process core dump data directory must be owned by root.
Checks: C-53651r1_chk

To check the ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the owner is not "root", this is a finding.

Fix: F-56103r1_fix

To change the ownership to "root", run the following command: sudo chown root /Library/Logs/DiagnosticReports/

b
The centralized process core dump data directory must have mode 0750 or less permissive.
CM-6 - Medium - CCI-000366 - V-51305 - SV-65515r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01180
Vuln IDs
  • V-51305
Rule IDs
  • SV-65515r1_rule
The centralized process core dump data directory must have mode "0750' or less permissive.
Checks: C-53653r2_chk

To check the permissions of the process core dump directory, run the following command: sudo stat -f %A /Library/Logs/DiagnosticReports/ If the permissions are not "0750", this is a finding.

Fix: F-56105r1_fix

To change the permissions of the directory, run the following command: sudo chmod 0750 /Library/Logs/DiagnosticReports/

b
The centralized process core dump data directory must be group-owned by admin.
CM-6 - Medium - CCI-000366 - V-51307 - SV-65517r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01185
Vuln IDs
  • V-51307
Rule IDs
  • SV-65517r1_rule
The centralized process core dump data directory must be group-owned by admin.
Checks: C-53655r2_chk

To check the group ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the group is not "admin", this is a finding.

Fix: F-56107r1_fix

To change the group ownership to ""admin run the following command: sudo chgrp admin /Library/Logs/DiagnosticReports/

b
The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
CM-6 - Medium - CCI-000366 - V-51309 - SV-65519r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01190
Vuln IDs
  • V-51309
Rule IDs
  • SV-65519r1_rule
The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
Checks: C-53657r1_chk

To check if the system is configured to respond to ICMP echoes, run the following command: sudo sysctl net.inet.icmp.bmcastecho | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56109r1_fix

To disable ICMP responses to broadcast traffic add the following line to /etc/sysctl.conf: net.inet.icmp.bmcastecho=1

b
The system must not accept source-routed IPv4 packets.
CM-6 - Medium - CCI-000366 - V-51311 - SV-65521r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01195
Vuln IDs
  • V-51311
Rule IDs
  • SV-65521r1_rule
The system must not accept source-routed IPv4 packets.
Checks: C-53659r3_chk

To check if the system is configured to accept source-routed packets, run the following command: sysctl net.inet.ip.accept_sourceroute | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56111r1_fix

To configure the system to not accept source-routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.accept_sourceroute=0

b
The system must ignore IPv4 ICMP redirect messages.
CM-6 - Medium - CCI-000366 - V-51313 - SV-65523r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01200
Vuln IDs
  • V-51313
Rule IDs
  • SV-65523r1_rule
The system must ignore IPv4 ICMP redirect messages.
Checks: C-53661r1_chk

To check if the system is configured to ignore ICMP redirect messages, run the following command: sysctl -a net.inet.icmp.drop_redirect | awk '{ print $NF }' If the value is not "1", this is a finding.

Fix: F-56113r1_fix

To configure the system to ignore ICMP redirect messages, add the following line to /etc/sysctl.conf: net.inet.icmp.drop_redirect=1

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
CM-6 - Medium - CCI-000366 - V-51315 - SV-65525r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01205
Vuln IDs
  • V-51315
Rule IDs
  • SV-65525r1_rule
IP forwarding for IPv4 must not be enabled, unless the system is a router.
Checks: C-53663r1_chk

To check if IP forwarding is enabled, run the following command: sysctl net.inet.ip.forwarding | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56115r1_fix

To configure the system to disable IPv4 forwarding, add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=0

b
The system must not send IPv4 ICMP redirects by default.
CM-6 - Medium - CCI-000366 - V-51317 - SV-65527r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01210
Vuln IDs
  • V-51317
Rule IDs
  • SV-65527r1_rule
The system must not send IPv4 ICMP redirects by default.
Checks: C-53665r1_chk

To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet.ip.redirect | awk '{ print $NF }' If the value is not set to "0", this is a finding.

Fix: F-56117r1_fix

To disable ICMP redirects, add the following line to /etc/sysctl.conf: net.inet.ip.redirect=0

b
The system must prevent local applications from generating source-routed packets.
CM-6 - Medium - CCI-000366 - V-51319 - SV-65529r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01215
Vuln IDs
  • V-51319
Rule IDs
  • SV-65529r1_rule
The system must prevent local applications from generating source-routed packets.
Checks: C-53667r1_chk

To check if the system is configured to generate source-routed packets, run the following command: sysctl net.inet.ip.sourceroute | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56119r1_fix

To disable source routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.sourceroute=1

b
The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
CM-6 - Medium - CCI-000366 - V-51321 - SV-65531r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01220
Vuln IDs
  • V-51321
Rule IDs
  • SV-65531r1_rule
The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
Checks: C-53669r1_chk

To check if the system is configured to process ICMP timestamp requests, run the following command: sysctl net.inet.icmp.timestamp | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56121r1_fix

To disable ICMP timestamp responses, add the following line to /etc/sysctl.conf: net.inet.icmp.timestamp=1

b
Audio recording support software must be disabled.
CM-6 - Medium - CCI-000366 - V-51323 - SV-65533r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01225
Vuln IDs
  • V-51323
Rule IDs
  • SV-65533r1_rule
Audio recording support software must be disabled.
Checks: C-53671r1_chk

Disabling the microphone completely will also remove all audio output from the computer. If audio is not a mission requirement check for presence of the following files, presence of any of these files is a finding. ls -l /System/Library/Extensions/AppleUSBAudio.kext /System/Library/Extensions/IOAudioFamily.kext /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext If audio output is required for the mission the only way to disable the microphone and maintain kext file signatures is running the following command to ensure the input volume is 0. The volume can be checked by running the following script: osascript -e 'get volume settings' Any value other than "0" for "input volume" is a finding. Microphone hardware can also be physically removed from the device prior to deployment to meet this requirement.

Fix: F-56123r1_fix

To disable all audio input/output on the device run the following commands: sudo rm -rf /System/Library/Extensions/AppleUSBAudio.kext;sudo rm -rf /System/Library/Extensions/IOAudioFamily.kext;sudo rm -rf /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext To fix a non "0" input volume on a machine that requires audio output functionality, run this command on a repeating interval or Manually change the input volume to "0": osascript -e 'set volume input volume 0'

b
Unused network devices must be disabled.
CM-6 - Medium - CCI-000366 - V-51325 - SV-65535r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01235
Vuln IDs
  • V-51325
Rule IDs
  • SV-65535r1_rule
Unused network devices must be disabled.
Checks: C-53673r1_chk

To list the network devices that are enabled on the system, run the following command: sudo networksetup -listallnetworkservices If any service is listed that is not being used, it must be disabled.

Fix: F-56125r1_fix

To disable a network service, run the following command: sudo networksetup -setnetworkserviceenabled <networkservice> off

b
Stealth Mode must be enabled on the firewall.
CM-6 - Medium - CCI-000366 - V-51327 - SV-65537r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01245
Vuln IDs
  • V-51327
Rule IDs
  • SV-65537r1_rule
Stealth Mode must be enabled on the firewall.
Checks: C-53675r1_chk

To check if the OSX firewall (not pf.conf) is running in stealth mode run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{ print $NF }' If the result is "Disabled", this is a finding.

Fix: F-56127r1_fix

To enable the firewall stealth mode, run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

b
Secure virtual memory must be used.
CM-6 - Medium - CCI-000366 - V-51329 - SV-65539r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01260
Vuln IDs
  • V-51329
Rule IDs
  • SV-65539r1_rule
Secure virtual memory must be used.
Checks: C-53677r2_chk

To check if the system is using secure virtual memory run the following command: sudo sysctl vm.swapusage | awk '{ print $NF }' If the result does not show (encrypted), this is a finding.

Fix: F-56129r1_fix

To ensure secure virtual memory is secure, run the following command: sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE

b
The Operating System must be current and at the latest release level.
CM-6 - Medium - CCI-000366 - V-51331 - SV-65541r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-01265
Vuln IDs
  • V-51331
Rule IDs
  • SV-65541r1_rule
The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.
Checks: C-53679r1_chk

To check which software update are available for the system, run the following command: sudo softwareupdate --list --all Review the results and determine if any updates need to be applied. If there are any required updates that have not been applied, this is a finding.

Fix: F-56131r1_fix

To install software updates, run the following command: sudo softwareupdate --install [name of update]

b
The CRLStyle option must be set correctly.
IA-5 - Medium - CCI-000185 - V-51333 - SV-65543r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OSX8-00-00618
Vuln IDs
  • V-51333
Rule IDs
  • SV-65543r1_rule
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-53681r1_chk

To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56133r1_fix

This is enforced using a configuration profile.

b
A host-based firewall must be installed.
SC-7 - Medium - CCI-001100 - V-51339 - SV-65549r1_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001100
Version
OSX8-00-00795
Vuln IDs
  • V-51339
Rule IDs
  • SV-65549r1_rule
Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation on the public internet.
Checks: C-53685r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

Fix: F-56135r1_fix

Install an approved HBSS or firewall solution onto the system.

b
System Preferences must be securely configured so IPv6 is turned off if not being used.
SC-7 - Medium - CCI-001100 - V-51341 - SV-65551r1_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001100
Version
OSX8-00-01240
Vuln IDs
  • V-51341
Rule IDs
  • SV-65551r1_rule
System Preferences must be securely configured so IPv6 is turned off if not being used.
Checks: C-53689r1_chk

Run the following command to list all network interfaces and services active on them: networksetup -listallnetworkservices If any enabled network interfaces have IPv6 enabled that do not require the use of IPv6, this is a finding.

Fix: F-56139r1_fix

Run: networksetup -setv6off Ethernet to turn ipv6 addressing off for the Ethernet interface. Repeat command for each interface that is active, interface names are case sensitive.

b
DoD proxies must be configured on all active network interfaces.
SC-7 - Medium - CCI-001112 - V-51343 - SV-65553r1_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001112
Version
OSX8-00-00810
Vuln IDs
  • V-51343
Rule IDs
  • SV-65553r1_rule
A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to; the proxy server is in the middle handling both sides of the session.
Checks: C-53691r1_chk

To show the proxy configuration for the Ethernet interface, run the following command: networksetup -getautoproxyurl Ethernet replace "Ethernet" with the plain English name of the network interface you need to verify. If there is no proxy defined, or enabled is set to "No", this is a finding. This command: networksetup -listallnetworkservices will list the plain English names of all configured network interfaces on the computer.

Fix: F-56143r1_fix

Ensure that DoD proxies are configured on all active network interfaces listed from the command: networksetup -listallnetworkservices

b
The SSH daemon ClientAliveInterval option must be set correctly.
SC-10 - Medium - CCI-001133 - V-51347 - SV-65557r1_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
OSX8-00-00715
Vuln IDs
  • V-51347
Rule IDs
  • SV-65557r1_rule
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
Checks: C-53693r1_chk

To check which the idle timeout setting for SSH sessions, run the following: grep ClientAliveInterval /etc/sshd_config If these setting is not "600", or commented out, this is a finding.

Fix: F-56145r1_fix

In order to make sure that the correct ClientAliveInterval is set correctly, run the following command: sudo sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/sshd_config

b
The SSH daemon ClientAliveCountMax option must be set correctly.
SC-10 - Medium - CCI-001133 - V-51351 - SV-65561r1_rule
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
OSX8-00-00720
Vuln IDs
  • V-51351
Rule IDs
  • SV-65561r1_rule
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
Checks: C-53695r1_chk

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: grep ClientAliveCountMax /etc/sshd_config If the setting is commented out, or not "ClientAliveCountMax 0", this is a finding.

Fix: F-56151r1_fix

In order to make sure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config .

a
The SSH daemon LoginGraceTime must be set correctly.
SC-10 - Low - CCI-001133 - V-51353 - SV-65563r1_rule
RMF Control
SC-10
Severity
L
CCI
CCI-001133
Version
OSX8-00-00945
Vuln IDs
  • V-51353
Rule IDs
  • SV-65563r1_rule
LoginGraceTime must be securely configured in /etc/sshd_config.
Checks: C-53697r1_chk

To check the amount of time that a user can login through SSH, run the following command: grep LoginGraceTime /etc/sshd_config If the value is not set to "30" or less, this is a finding.

Fix: F-56153r1_fix

In order to make sure that LoginGraceTime is configured correctly, run the following command: sudo sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/sshd_config

c
The FIPS administrative and cryptographic modules must be installed correctly.
SC-13 - High - CCI-001144 - V-51355 - SV-65565r1_rule
RMF Control
SC-13
Severity
H
CCI
CCI-001144
Version
OSX8-00-00725
Vuln IDs
  • V-51355
Rule IDs
  • SV-65565r1_rule
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Checks: C-53699r1_chk

Run the following command to ensure the correct FIPS administrative and cryptographic modules are installed correctly: sudo codesign -dvvv /usr/libexec/cc_fips_test 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "bdef561bd742ae2e28589ca3ed44f188530d6910". If it differs, this is a finding.

Fix: F-56157r1_fix

Download and install the Apple FIPS Cryptographic Module v3.0 from http://support.apple.com/kb/DL1555

b
Video recording support software must be disabled.
SC-15 - Medium - CCI-001150 - V-51359 - SV-65569r1_rule
RMF Control
SC-15
Severity
M
CCI
CCI-001150
Version
OSX8-00-01251
Vuln IDs
  • V-51359
Rule IDs
  • SV-65569r1_rule
Video recording support software must be disabled.
Checks: C-53701r1_chk

To check if the video recording plugins are installed, run the following commands: sudo ls -l /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo ls -l /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo ls -l /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC If any of the files exist, this is a finding.

Fix: F-56161r1_fix

To remove video recording support, run the following commands: sudo rm -rf /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo rm -rf /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo rm -rf /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC These commands cannot be undone.

b
The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
SC-17 - Medium - CCI-001159 - V-51365 - SV-65575r1_rule
RMF Control
SC-17
Severity
M
CCI
CCI-001159
Version
OSX8-00-00750
Vuln IDs
  • V-51365
Rule IDs
  • SV-65575r1_rule
For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.
Checks: C-53705r1_chk

To view a list of installed certificates, run the following command: sudo security -dump-keychain | grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.

Fix: F-56163r1_fix

Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from /Applications/Utilities to add certificates to the System keychain.

b
The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
SC-18 - Medium - CCI-001166 - V-51367 - SV-65577r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001166
Version
OSX8-00-00755
Vuln IDs
  • V-51367
Rule IDs
  • SV-65577r1_rule
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Xprotect Update needs to be running.
Checks: C-53707r1_chk

To make sure the Xprotect Update service is running, run the following command: sudo launchctl list | grep com.apple.xprotectupdater If there is no result, this is a finding.

Fix: F-56167r1_fix

The Xprotect mechanism is installed and running by default. Make sure the launch daemon is correctly configured in /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist. If this file doesn't exist, you may need to obtain it from the original install media.

b
The operating system must protect the confidentiality and integrity of information at rest.
SC-28 - Medium - CCI-001199 - V-51371 - SV-65581r1_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001199
Version
OSX8-00-00780
Vuln IDs
  • V-51371
Rule IDs
  • SV-65581r1_rule
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive). The operating system must ensure the data being written to these devices is protected. In most cases, this is done via encryption.
Checks: C-53709r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56169r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

b
The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.
SI-2 - Medium - CCI-001233 - V-51373 - SV-65583r1_rule
RMF Control
SI-2
Severity
M
CCI
CCI-001233
Version
OSX8-00-00835
Vuln IDs
  • V-51373
Rule IDs
  • SV-65583r1_rule
Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This role is usually assigned to patch management software deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions and the related flaws that require patching. From an operating system requirement perspective, the operating system must perform this or there must be an application installed performing this function.
Checks: C-53713r1_chk

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

Fix: F-56173r2_fix

This should be configured with a configuration profile.

b
The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
SI-2 - Medium - CCI-001237 - V-51377 - SV-65587r1_rule
RMF Control
SI-2
Severity
M
CCI
CCI-001237
Version
OSX8-00-00840
Vuln IDs
  • V-51377
Rule IDs
  • SV-65587r1_rule
The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed.
Checks: C-53715r1_chk

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

Fix: F-56175r1_fix

This should be configured with a configuration profile.

b
System log files must be owned by root:wheel.
SI-11 - Medium - CCI-001314 - V-51381 - SV-65591r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
OSX8-00-00815
Vuln IDs
  • V-51381
Rule IDs
  • SV-65591r1_rule
If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.
Checks: C-53717r1_chk

This command checks for log files that exist on the system and prints out the log with corresponding ownership.. stat -f "%Su:%Sg:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null If there are any log files that are not owned by root and group-owned by wheel or admin, this is a finding.

Fix: F-56177r1_fix

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [log file] where [log file] is the full path to the log file in question.

b
System log files must have the correct permissions.
SI-11 - Medium - CCI-001314 - V-51385 - SV-65595r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
OSX8-00-00820
Vuln IDs
  • V-51385
Rule IDs
  • SV-65595r1_rule
System log files should have the correct permissions.
Checks: C-53721r1_chk

This command checks for log files that exist on the system and prints out the log with corresponding permissions. stat -f "%A:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null The correct permissions should be "640" or less permissive. Any file with more permissive settings is a finding.

Fix: F-56183r1_fix

For any log file that returns an incorrect permission value, run the following command: chmod 640 [log file] where [log file] is the full path to the log file in question.

b
System log files must not contain ACLs.
SI-11 - Medium - CCI-001314 - V-51387 - SV-65597r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
OSX8-00-00825
Vuln IDs
  • V-51387
Rule IDs
  • SV-65597r1_rule
System log files should not contain ACLs.
Checks: C-53723r1_chk

This command checks for log files that exist on the system and prints out the list of ACLs if there are any. ls -le `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity" If any file contains this information, this is a finding.

Fix: F-56185r1_fix

For any log file that returns an ACL, run the following command: chmod -N [log file] where [log file] is the full path to the log file in question.

b
The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
SI-4 - Medium - CCI-001274 - V-51389 - SV-65599r1_rule
RMF Control
SI-4
Severity
M
CCI
CCI-001274
Version
OSX8-00-00875
Vuln IDs
  • V-51389
Rule IDs
  • SV-65599r1_rule
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Automated alarming mechanisms provide the appropriate personnel with the capability to immediately respond and react to events categorized as unusual or having security implications that could be detrimental to system and/or organizational security.
Checks: C-53725r1_chk

Ask the SA or IAO if a host-based security system is loaded on the system. The recommended system is the McAfee HBSS. If there is no HBSS installed on the system, this is a finding.

Fix: F-56187r1_fix

If they system does not have the HBSS package installed, contact the HBSS administrator to obtain installer package for the software.

b
The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
AU-9 - Medium - CCI-001348 - V-51393 - SV-65603r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
OSX8-00-00395
Vuln IDs
  • V-51393
Rule IDs
  • SV-65603r1_rule
Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.
Checks: C-53729r1_chk

To check the location of the audit log files, run the following command: sudo ls -ld `sudo grep "^dir" /etc/security/audit_control | sed 's/dir://'` The default location is /var/audit. If this is not defined or defined incorrectly, this is a finding.

Fix: F-56191r1_fix

Edit the /etc/security/audit_control file to define the directory for audit logs.

b
The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
AC-8 - Medium - CCI-001384 - V-51395 - SV-65605r1_rule
RMF Control
AC-8
Severity
M
CCI
CCI-001384
Version
OSX8-00-00195
Vuln IDs
  • V-51395
Rule IDs
  • SV-65605r1_rule
Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.
Checks: C-53731r2_chk

The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document should read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-56193r1_fix

Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security

b
The operating system must employ automated mechanisms to centrally manage configuration settings.
CM-6 - Medium - CCI-000370 - V-51397 - SV-65607r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000370
Version
OSX8-00-00445
Vuln IDs
  • V-51397
Rule IDs
  • SV-65607r1_rule
Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Rather than visiting each system when making configuration changes, organizations must employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Checks: C-53733r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56195r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

b
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
SC-28 - Medium - CCI-001200 - V-51399 - SV-65609r1_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001200
Version
OSX8-00-00785
Vuln IDs
  • V-51399
Rule IDs
  • SV-65609r1_rule
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system.
Checks: C-53735r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56197r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

b
The operating system must enforce requirements for remote connections to the information system.
AC-17 - Medium - CCI-000066 - V-51401 - SV-65611r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000066
Version
OSX8-00-00055
Vuln IDs
  • V-51401
Rule IDs
  • SV-65611r1_rule
The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.
Checks: C-53737r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

Fix: F-56199r1_fix

Install an approved HBSS or firewall solution onto the system.

b
The operating system must enforce requirements for remote connections to the information system.
AC-17 - Medium - CCI-000066 - V-51403 - SV-65613r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000066
Version
OSX8-00-01170
Vuln IDs
  • V-51403
Rule IDs
  • SV-65613r1_rule
Screen Sharing must be disabled.
Checks: C-53739r1_chk

To check if screen sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.screensharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56201r1_fix

To disable screen sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.screensharing" -dict Disabled -bool true

b
The operating system must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-51405 - SV-65615r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001403
Version
OSX8-00-00125
Vuln IDs
  • V-51405
Rule IDs
  • SV-65615r1_rule
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of user accounts and, as required, notifies appropriate individuals.
Checks: C-53741r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56203r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

b
The operating system must automatically audit account disabling actions.
AC-2 - Medium - CCI-001404 - V-51407 - SV-65617r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001404
Version
OSX8-00-00130
Vuln IDs
  • V-51407
Rule IDs
  • SV-65617r1_rule
When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events affecting user accessibility and operating system processing, the operating system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.
Checks: C-53743r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56205r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

b
The operating system must automatically audit account termination.
AC-2 - Medium - CCI-001405 - V-51409 - SV-65619r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001405
Version
OSX8-00-00135
Vuln IDs
  • V-51409
Rule IDs
  • SV-65619r1_rule
Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The operating system must audit and notify, as required, to mitigate the Denial of Service risk.
Checks: C-53745r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56207r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

b
The system firewall must be configured with a default-deny policy.
AC-4 - Medium - CCI-001414 - V-51411 - SV-65621r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001414
Version
OSX8-00-00155
Vuln IDs
  • V-51411
Rule IDs
  • SV-65621r1_rule
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path.
Checks: C-53747r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, and configured with a default deny policy, this is a finding.

Fix: F-56209r1_fix

Install an approved HBSS or firewall solution onto the system.

b
Internet Sharing must be disabled.
AC-4 - Medium - CCI-001414 - V-51413 - SV-65623r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001414
Version
OSX8-00-01270
Vuln IDs
  • V-51413
Rule IDs
  • SV-65623r1_rule
Internet Sharing must be disabled.
Checks: C-53749r1_chk

To check if Internet sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.InternetSharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56211r1_fix

To disable Internet Sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.InternetSharing" -dict Disabled -bool true

b
Web Sharing must be disabled.
AC-4 - Medium - CCI-001414 - V-51415 - SV-65625r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001414
Version
OSX8-00-01275
Vuln IDs
  • V-51415
Rule IDs
  • SV-65625r1_rule
Web Sharing must be disabled.
Checks: C-53751r1_chk

To check if Web Sharing is enabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/org.apache.httpd.plist Disabled If the result is not "1", this is a finding.

Fix: F-56213r1_fix

To disable Web Sharing, run the following command: sudo defaults write /System/Library/LaunchDaemons/org/apache.httpd.plist Disabled -bool TRUE

c
The rsh service must be disabled.
AC-17 - High - CCI-001436 - V-51417 - SV-65627r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001436
Version
OSX8-00-00050
Vuln IDs
  • V-51417
Rule IDs
  • SV-65627r1_rule
Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities. Based on that assessment some may be deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
Checks: C-53753r1_chk

The "rshd" service should be disabled. To check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/shell Disabled If the result is not "1", this is a finding.

Fix: F-56215r1_fix

To set the "rshd" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/shell Disabled 1

b
The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
AC-7 - Medium - CCI-001452 - V-51419 - SV-65629r1_rule
RMF Control
AC-7
Severity
M
CCI
CCI-001452
Version
OSX8-00-01325
Vuln IDs
  • V-51419
Rule IDs
  • SV-65629r1_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-53755r1_chk

To check if the password policy is configured to disabled an account within 15 minutes of failed attempts, run the following command: sudo pwpolicy -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the result is not "minutesUntilFailedLoginReset=15", this is a finding. This is NA for machines bound to a directory server.

Fix: F-56217r1_fix

To set the password policy, run the following command: sudo pwpolicy setglobalpolicy "minutesUntilFailedLoginReset=15"

b
The operating system must use cryptography to protect the integrity of remote access sessions.
AC-17 - Medium - CCI-001453 - V-51421 - SV-65631r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
OSX8-00-00040
Vuln IDs
  • V-51421
Rule IDs
  • SV-65631r1_rule
Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. If cryptography is not used to protect these sessions, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.
Checks: C-53757r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56219r1_fix

To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

b
The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
AC-17 - Medium - CCI-001454 - V-51425 - SV-65635r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001454
Version
OSX8-00-00045
Vuln IDs
  • V-51425
Rule IDs
  • SV-65635r1_rule
Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. Remote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any operating system providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information.
Checks: C-53761r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep nt The network are logged by way of the "nt" flag. If "nt" is not listed in the result of the check, this is a finding.

Fix: F-56223r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,nt/' /etc/security/audit_control

b
The operating system must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-51427 - SV-65637r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
OSX8-00-00380
Vuln IDs
  • V-51427
Rule IDs
  • SV-65637r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is imperative that access to audit tools be controlled and protected from unauthorized access.
Checks: C-53763r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56225r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

b
The operating system must protect audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-51429 - SV-65639r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001494
Version
OSX8-00-00385
Vuln IDs
  • V-51429
Rule IDs
  • SV-65639r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative that audit tools be controlled and protected from unauthorized modification.
Checks: C-53765r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56227r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

b
The operating system must protect audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-51431 - SV-65641r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001495
Version
OSX8-00-00390
Vuln IDs
  • V-51431
Rule IDs
  • SV-65641r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are deleted, it would affect the administrator's ability to access and review log data.
Checks: C-53767r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56229r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

b
The operating system must limit privileges to change software resident within software libraries (including privileged programs).
CM-5 - Medium - CCI-001499 - V-51433 - SV-65643r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
OSX8-00-00435
Vuln IDs
  • V-51433
Rule IDs
  • SV-65643r1_rule
When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-53769r1_chk

To check the permissions and ownership of the system files and make sure they haven't changed from the original installation, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

Fix: F-56231r1_fix

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

b
The operating system must take corrective actions, when unauthorized mobile code is identified.
SC-18 - Medium - CCI-001662 - V-51435 - SV-65645r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
OSX8-00-00760
Vuln IDs
  • V-51435
Rule IDs
  • SV-65645r1_rule
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.
Checks: C-53771r1_chk

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

Fix: F-56233r1_fix

This can be enforced using a configuration profile.

b
The operating system must support the requirement to automatically audit on account creation.
AC-2 - Medium - CCI-000018 - V-51437 - SV-65647r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
OSX8-00-00120
Vuln IDs
  • V-51437
Rule IDs
  • SV-65647r1_rule
Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and if required notifies administrators. Such a process greatly reduces the risk of accounts being created outside the normal approval process and provides logging that can be used for forensic purposes. Additionally, the audit records of account creation can be compared to the known approved account creation list.
Checks: C-53773r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56235r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

a
The Bluetooth protocol driver must be removed.
AC-19 - Low - CCI-000086 - V-51439 - SV-65649r1_rule
RMF Control
AC-19
Severity
L
CCI
CCI-000086
Version
OSX8-00-00065
Vuln IDs
  • V-51439
Rule IDs
  • SV-65649r1_rule
Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can be accessed. The organization will define the requirements for connection of mobile devices. In order to ensure that the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.
Checks: C-53775r1_chk

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Fix: F-56237r1_fix

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions

b
Wi-Fi support software must be disabled.
AC-19 - Medium - CCI-000086 - V-51441 - SV-65651r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
OSX8-00-00070
Vuln IDs
  • V-51441
Rule IDs
  • SV-65651r1_rule
Wi-Fi support software must be disabled.
Checks: C-53777r1_chk

To check if the Wi-Fi software components are present on the system, run the following command: sudo ls -d /System/Library/Extensions/IO80211Family.kext If there is a result showing the file is present, this is a finding.

Fix: F-56239r1_fix

To remove the software component for Wi-Fi support, run the following command: sudo rm -rf /System/Library/Extensions/IO80211Family.kext

b
The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
AC-6 - Medium - CCI-000040 - V-51443 - SV-65653r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000040
Version
OSX8-00-00170
Vuln IDs
  • V-51443
Rule IDs
  • SV-65653r1_rule
The auditing system must be configured to audit authentication and authorization events.
Checks: C-53779r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep aa The authentication events are logged via the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.

Fix: F-56241r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control

b
Bluetooth devices must not be allowed to wake the computer.
AC-19 - Medium - CCI-000086 - V-51445 - SV-65655r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
OSX8-00-00955
Vuln IDs
  • V-51445
Rule IDs
  • SV-65655r1_rule
Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer.
Checks: C-53785r1_chk

To check if this setting is disabled run the following command as the primary user: defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled If the return value is "1", this is a finding.

Fix: F-56247r1_fix

This control needs to be manually changed on the computer by opening System Preferences->Bluetooth, Click Advanced, and make sure the "Allow Bluetooth devices to wake this computer" is not checked.

b
Bluetooth Sharing must be disabled.
AC-19 - Medium - CCI-000086 - V-51447 - SV-65657r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
OSX8-00-00965
Vuln IDs
  • V-51447
Rule IDs
  • SV-65657r1_rule
Bluetooth Sharing must be disabled.
Checks: C-53787r1_chk

To check if Bluetooth Sharing is enabled, Open up System Preferences-&gt;Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding.

Fix: F-56249r1_fix

To disable Bluetooth Sharing, open System Preferences->Sharing and uncheck the box next to Bluetooth Sharing.

a
The operating system must display the DoD-approved system use notification message or banner before granting access to the system.
AC-8 - Low - CCI-000048 - V-51449 - SV-65659r1_rule
RMF Control
AC-8
Severity
L
CCI
CCI-000048
Version
OSX8-00-00185
Vuln IDs
  • V-51449
Rule IDs
  • SV-65659r1_rule
The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far as auditing and monitoring are concerned.
Checks: C-53789r2_chk

The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document MUST read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not exactly worded this way, this is a finder.

Fix: F-56251r1_fix

Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security/

b
The auditing tool, praudit, must be the one provided by Apple, Inc.
AU-9 - Medium - CCI-001496 - V-51451 - SV-65661r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
OSX8-00-00400
Vuln IDs
  • V-51451
Rule IDs
  • SV-65661r1_rule
Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Cryptographic mechanisms must be used to protect the integrity of the audit tools used for audit reduction and reporting. The auditing tool, praudit, should be the one provided by Apple, Inc.
Checks: C-53791r1_chk

Run the following command to ensure the audit tool, praudit, has the correct signed hash value: sudo codesign -dvvv /usr/sbin/praudit 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "7972f0ead62fd6610d4453f842f9e22b5dc14732". If it differs, this is a finding.

Fix: F-56253r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

b
The input menu must not be shown in the login window.
AC-8 - Medium - CCI-000048 - V-51453 - SV-65663r1_rule
RMF Control
AC-8
Severity
M
CCI
CCI-000048
Version
OSX8-00-00940
Vuln IDs
  • V-51453
Rule IDs
  • SV-65663r1_rule
Input menu must not be shown in login window.
Checks: C-53793r1_chk

To check if the input menu is available at the login window, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow showInputMenu If the setting is not "0", this is a finding.

Fix: F-56255r1_fix

To disable the input menu at the login window, run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool FALSE

b
The auditing tool, auditreduce, must be the one provided by Apple, Inc.
AU-9 - Medium - CCI-001496 - V-51455 - SV-65665r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
OSX8-00-00405
Vuln IDs
  • V-51455
Rule IDs
  • SV-65665r1_rule
The auditing tool, auditreduce, should be the one provided by Apple, Inc.
Checks: C-53795r1_chk

Run the following command to ensure the audit tool, auditreduce has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditreduce 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "3b7644bca759043242925af1e6c1c4f4f7dadbae". If it differs, this is a finding.

Fix: F-56257r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

b
The auditing tool, audit, must be the one provided by Apple, Inc.
AU-9 - Medium - CCI-001496 - V-51457 - SV-65667r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
OSX8-00-00410
Vuln IDs
  • V-51457
Rule IDs
  • SV-65667r1_rule
The auditing tool, audit, should be the one provided by Apple, Inc.
Checks: C-53797r1_chk

Run the following command to ensure the audit tool, audit has the correct signed hash value: sudo codesign -dvvv /usr/sbin/audit 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "e23e7f63cdef9c1844390a3c8f32122b671b68d3". If it differs, this is a finding.

Fix: F-56259r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

b
The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
AC-9 - Medium - CCI-000052 - V-51459 - SV-65669r1_rule
RMF Control
AC-9
Severity
M
CCI
CCI-000052
Version
OSX8-00-00200
Vuln IDs
  • V-51459
Rule IDs
  • SV-65669r1_rule
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Checks: C-53799r2_chk

To see if SSH is configured to display the last login information, run the following command: grep ^PrintLastLog /etc/sshd_config | awk '{ print $2 }' If there is no result returned, or is "no", this is a finding.

Fix: F-56261r1_fix

To set the SSH server to print the last login information, run the following command: sudo sed -i.bak 's/.*PrintLastLog.*/PrintLastLog yes/' /etc/sshd_config

b
The auditing tool, auditd, must be the one provided by Apple, Inc.
AU-9 - Medium - CCI-001496 - V-51461 - SV-65671r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001496
Version
OSX8-00-00415
Vuln IDs
  • V-51461
Rule IDs
  • SV-65671r1_rule
The auditing tool, auditd, should be the one provided by Apple, Inc.
Checks: C-53801r1_chk

Run the following command to ensure the audit tool, auditd has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditd 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "abad487143d9bb99e06d945f69f8fab6e49460f1". If it differs, this is a finding.

Fix: F-56263r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

b
Shared User Accounts must be disabled.
CM-6 - Medium - CCI-000366 - V-51463 - SV-65673r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00915
Vuln IDs
  • V-51463
Rule IDs
  • SV-65673r1_rule
Shared User Accounts must be disabled.
Checks: C-53805r1_chk

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account [which provides no individual identification and accountability] is mitigated.

Fix: F-56265r1_fix

Remove, disable, or document with the IAO all shared accounts.

b
The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 - Medium - CCI-000056 - V-51465 - SV-65675r1_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000056
Version
OSX8-00-00020
Vuln IDs
  • V-51465
Rule IDs
  • SV-65675r1_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Once invoked, the session lock shall remain in place until the user reauthenticates. No other system activity aside from reauthentication can unlock the system.
Checks: C-53803r1_chk

To check if the system has the correct setting in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "askForPassword" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56267r1_fix

To enforce this setting, it must be configured using a configuration profile.

b
A password must be required to unlock each System Preference Pane.
CM-6 - Medium - CCI-000366 - V-51467 - SV-65677r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00920
Vuln IDs
  • V-51467
Rule IDs
  • SV-65677r1_rule
A password must be required to access locked System Preferences.
Checks: C-53807r1_chk

To check if the status of the System Preference Pane authorization requirements, run the following command: sudo security authorizationdb read system.preferences | grep -A1 shared If the results display "true" this is a finding.

Fix: F-56269r1_fix

To set the system to require a password to unlock every System Preference Pane, open System Preferences->Security & Privacy->Advanced, and make sure the box is checked to "Require an administrator password to access locked preferences".

a
Automatic logout due to inactivity must be disabled.
AC-11 - Low - CCI-000056 - V-51469 - SV-65679r1_rule
RMF Control
AC-11
Severity
L
CCI
CCI-000056
Version
OSX8-00-01085
Vuln IDs
  • V-51469
Rule IDs
  • SV-65679r1_rule
Automatic logout due to inactivity must be disabled.
Checks: C-53809r2_chk

To check if the system is configured to automatically log out after a period of time, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.autologout.AutoLogOutDelay" | awk '{ print $3 }' | sed 's/;//' If the result is not defined (nothing returned) or not "0", this is a finding.

Fix: F-56271r1_fix

This setting should be configured with a configuration profile.

b
Automatic login must be disabled.
CM-6 - Medium - CCI-000366 - V-51471 - SV-65681r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00925
Vuln IDs
  • V-51471
Rule IDs
  • SV-65681r1_rule
Automatic login must be disabled.
Checks: C-53811r1_chk

To check if the system if configured to automatically log in, run the following command: system_profiler SPConfigurationProfileDataType | grep DisableAutoLoginClient | awk '{ print $3 }' | sed 's/;//' If the result is not "1", this is a finding.

Fix: F-56273r1_fix

This is enforced using a configuration profile.

b
The operating system must initiate a session lock after the organization-defined time period of inactivity.
AC-11 - Medium - CCI-000057 - V-51473 - SV-65683r1_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
OSX8-00-00010
Vuln IDs
  • V-51473
Rule IDs
  • SV-65683r1_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The organization defines the period of inactivity to pass before a session lock is initiated, so this must be configurable.
Checks: C-53813r1_chk

To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: system_profiler SPConfigurationProfileDataType | grep idleTime | awk '{ print $3 }' | sed 's/;//' The check should return a value of "900" or less, if not, this is a finding.

Fix: F-56275r1_fix

This setting is enforced using a configuration profile.

b
The ability to use corners to disable the screen saver must be disabled.
AC-11 - Medium - CCI-000057 - V-51475 - SV-65685r1_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
OSX8-00-01095
Vuln IDs
  • V-51475
Rule IDs
  • SV-65685r1_rule
The ability to use corners to disable the screen saver must be disabled.
Checks: C-53815r2_chk

To check if any of the hot corners are configured to disable the screen saver run the following command for the logged in user: system_profiler SPConfigurationProfileDataType | grep wvous There should be 4 results (wvous-bl-corner, wvous-br-corner, wvous-tl-corner, wvous-tr-corner). If any of them are not defined to be "1", this is a finding.

Fix: F-56277r2_fix

Open up System Preferences->Desktop&Screen Saver, and open Hot Corners. Make sure none of the corners are defined to "Disable Screen Saver". This can be enforced using a configuration profile or managed preferences.

a
The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
AC-11 - Low - CCI-000060 - V-51477 - SV-65687r1_rule
RMF Control
AC-11
Severity
L
CCI
CCI-000060
Version
OSX8-00-00005
Vuln IDs
  • V-51477
Rule IDs
  • SV-65687r1_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
Checks: C-53817r1_chk

To view the currently selected screen saver for the logged in user, run the following command: system_profiler SPConfigurationProfileDataType | grep moduleName If there is no result or defined moduleName, this is a finding.

Fix: F-56279r1_fix

This is enforced using a configuration profile.

b
The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
AC-17 - Medium - CCI-000067 - V-51479 - SV-65689r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
OSX8-00-00030
Vuln IDs
  • V-51479
Rule IDs
  • SV-65689r1_rule
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.
Checks: C-53819r1_chk

To check to make sure the audit daemon is configured to log all login events, both local and remote, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep lo The flag "lo" should be included in the list of flags set. If it is not, this is a finding.

Fix: F-56281r3_fix

To edit the configuration of the audit daemon flags, open the /etc/security/audit_control file and make sure "lo" is listed in the "flags:" parameter. To programmatically do this, run the following command: sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; sudo audit -s

c
The rexec service must be disabled.
AC-17 - High - CCI-000068 - V-51481 - SV-65691r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
OSX8-00-00035
Vuln IDs
  • V-51481
Rule IDs
  • SV-65691r1_rule
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections.
Checks: C-53823r1_chk

The service "rexec" should be disabled, to check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/exec Disabled If the result is not "1", this is a finding.

Fix: F-56283r1_fix

To set the "rexec" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/exec Disabled 1

b
The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
AC-19 - Medium - CCI-000085 - V-51483 - SV-65693r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
OSX8-00-00060
Vuln IDs
  • V-51483
Rule IDs
  • SV-65693r1_rule
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.
Checks: C-53825r1_chk

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Fix: F-56285r1_fix

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo reboot

b
Automatic actions must be disabled for blank CDs.
AC-19 - Medium - CCI-000087 - V-51485 - SV-65695r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000087
Version
OSX8-00-00085
Vuln IDs
  • V-51485
Rule IDs
  • SV-65695r1_rule
Automatic actions must be disabled for blank CDs.
Checks: C-53827r1_chk

To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.cd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56287r1_fix

This setting must be configured using a configuration profile.

b
Automatic actions must be disabled for blank DVDs.
AC-19 - Medium - CCI-000087 - V-51487 - SV-65697r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000087
Version
OSX8-00-00090
Vuln IDs
  • V-51487
Rule IDs
  • SV-65697r1_rule
Automatic actions must be disabled for blank DVDs.
Checks: C-53829r2_chk

To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.dvd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56289r1_fix

This setting must be configured using a configuration profile.

b
Automatic actions must be disabled for music CDs.
AC-19 - Medium - CCI-000087 - V-51489 - SV-65699r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000087
Version
OSX8-00-00095
Vuln IDs
  • V-51489
Rule IDs
  • SV-65699r1_rule
Automatic actions must be disabled for music CDs.
Checks: C-53831r2_chk

To check if the system has the correct setting for music CDs open up System Preferences, CDs &amp; DVDs. The setting for "When you insert a music CD" should be set to "Ignore", if it is not, this is a finding.

Fix: F-56291r1_fix

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a music CD" to "Ignore".

b
Automatic actions must be disabled for video DVDs.
AC-19 - Medium - CCI-000087 - V-51491 - SV-65701r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000087
Version
OSX8-00-00105
Vuln IDs
  • V-51491
Rule IDs
  • SV-65701r1_rule
Automatic actions must be disabled for video DVDs.
Checks: C-53835r2_chk

To check if the system has the correct setting for picture CDs open up System Preferences, CDs &amp; DVDs. The setting for "When you insert a video DVD" should be set to "Ignore", if it is not, this is a finding.

Fix: F-56295r1_fix

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a video DVD" to "Ignore".

b
The operating system must allocate audit record storage capacity.
AU-4 - Medium - CCI-000137 - V-51493 - SV-65703r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000137
Version
OSX8-00-00295
Vuln IDs
  • V-51493
Rule IDs
  • SV-65703r1_rule
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. It is imperative the operating system configured, allocate storage capacity to contain audit records.
Checks: C-53837r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56297r1_fix

Edit the /etc/security/audit_control file, and change the value for "minfree" to the percentage of free space you require to keep available for the system. You can use the following command to set the "minfree" value to "10%": sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control

b
The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
AU-4 - Medium - CCI-000138 - V-51495 - SV-65705r1_rule
RMF Control
AU-4
Severity
M
CCI
CCI-000138
Version
OSX8-00-00300
Vuln IDs
  • V-51495
Rule IDs
  • SV-65705r1_rule
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Care must be taken to evaluate that the audit records being produced do not exceed the storage capacity.
Checks: C-53839r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep expire-after /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56299r1_fix

To set the auditing daemon to expire logs after "10 GB" of space in the audit_control configuration file, run the following command: sudo sed -i.bak 's/.*expire-after.*/expire-after:10G/' /etc/security/audit_control; sudo audit -s

b
The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
AU-5 - Medium - CCI-000140 - V-51497 - SV-65707r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000140
Version
OSX8-00-01355
Vuln IDs
  • V-51497
Rule IDs
  • SV-65707r1_rule
It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. In order for the audit control system to shut down when an audit processing failure occurs, the setting "ahlt" must be configured. The default setting is "cnt" which allows the system to continue running in the event of an audit processing failure.
Checks: C-53841r1_chk

The check with display the settings for the audit control system. To view the setting, run the following command: sudo grep policy /etc/security/audit_control | grep ahlt If there is no result, this is a finding.

Fix: F-56301r1_fix

Edit the /etc/security/audit_control file, and change the value for policy to include the setting "ahlt".

b
The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
AU-5 - Medium - CCI-000143 - V-51499 - SV-65709r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000143
Version
OSX8-00-00305
Vuln IDs
  • V-51499
Rule IDs
  • SV-65709r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded then events that subsequently occur will not be recorded.
Checks: C-53843r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56303r1_fix

To set the value for "minfree" in the "audit_control" configuration file, run the following command: sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control; sudo audit -s

b
The operating system must provide a real-time alert when organization-defined audit failure events occur.
AU-5 - Medium - CCI-000144 - V-51501 - SV-65711r1_rule
RMF Control
AU-5
Severity
M
CCI
CCI-000144
Version
OSX8-00-00310
Vuln IDs
  • V-51501
Rule IDs
  • SV-65711r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations must define audit failure events requiring an application to send an alarm. When those defined events occur, the application will provide a real-time alert to the appropriate personnel.
Checks: C-53845r2_chk

To verify that the system log is writing audit failure or warnings run the following command: sudo grep logger /etc/security/audit_warn If this does not return: logger -p security.warning "audit warning: $@" this is a finding.

Fix: F-56305r1_fix

Edit the /etc/security/audit_warn file to include the line: logger -p security.warning "audit warning: $@"

b
The operating system must employ cryptographic mechanisms to protect information in storage.
MP-4 - Medium - CCI-001019 - V-51507 - SV-65717r1_rule
RMF Control
MP-4
Severity
M
CCI
CCI-001019
Version
OSX8-00-00700
Vuln IDs
  • V-51507
Rule IDs
  • SV-65717r1_rule
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.
Checks: C-53847r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56311r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

b
The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
MA-4 - Medium - CCI-000888 - V-51509 - SV-65719r1_rule
RMF Control
MA-4
Severity
M
CCI
CCI-000888
Version
OSX8-00-00690
Vuln IDs
  • V-51509
Rule IDs
  • SV-65719r1_rule
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted.
Checks: C-53849r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56315r1_fix

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

b
The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
MA-4 - Medium - CCI-000877 - V-51511 - SV-65721r1_rule
RMF Control
MA-4
Severity
M
CCI
CCI-000877
Version
OSX8-00-00695
Vuln IDs
  • V-51511
Rule IDs
  • SV-65721r1_rule
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems includes the ability to access system configuration details, diagnostic information, user information, as well as installation of software.
Checks: C-53851r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56317r1_fix

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

b
The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.
AC-2 - Medium - CCI-001682 - V-51515 - SV-65725r1_rule
RMF Control
AC-2
Severity
M
CCI
CCI-001682
Version
OSX8-00-00115
Vuln IDs
  • V-51515
Rule IDs
  • SV-65725r1_rule
When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.
Checks: C-53853r1_chk

If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u &lt;username&gt; get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

Fix: F-56319r1_fix

To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

b
The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
IA-2 - Medium - CCI-000776 - V-51519 - SV-65729r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000776
Version
OSX8-00-00575
Vuln IDs
  • V-51519
Rule IDs
  • SV-65729r1_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.
Checks: C-53855r1_chk

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2" this is a finding.

Fix: F-56323r1_fix

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

b
The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-000774 - V-51523 - SV-65733r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000774
Version
OSX8-00-00570
Vuln IDs
  • V-51523
Rule IDs
  • SV-65733r1_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.
Checks: C-53859r1_chk

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2", this is a finding.

Fix: F-56329r1_fix

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

b
The root account must be disabled for interactive use.
IA-2 - Medium - CCI-000770 - V-51527 - SV-65737r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
OSX8-00-01230
Vuln IDs
  • V-51527
Rule IDs
  • SV-65737r1_rule
The root account must be disabled for interactive use.
Checks: C-53861r1_chk

To check if the root user has been enabled, run the following command: sudo dscl . -read /Users/root AuthenticationAuthority If the result does not return "No such key: AuthenticationAuthority", this is a finding.

Fix: F-56331r1_fix

To disable the root user account, run the following command: sudo dsenableroot -d

b
The SSH PermitRootLogin option must be set correctly.
IA-2 - Medium - CCI-000770 - V-51529 - SV-65739r1_rule
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
OSX8-00-00565
Vuln IDs
  • V-51529
Rule IDs
  • SV-65739r1_rule
To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as, adding an additional level of protection of the actions that can be taken with group account knowledge.
Checks: C-53863r1_chk

To check if SSH has root logins enabled, run the following command: sudo grep ^PermitRootLogin /etc/sshd_config | awk '{ print $2 }' If there is no result, or the result is set to "yes", this is a finding.

Fix: F-56335r1_fix

In order to make sure that PermitRootLogin is disabled by the sshd, run the following command: sudo sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/sshd_config

b
End users must not be able to override Gatekeeper settings.
SA-7 - Medium - CCI-000663 - V-51531 - SV-65741r1_rule
RMF Control
SA-7
Severity
M
CCI
CCI-000663
Version
OSX8-00-00711
Vuln IDs
  • V-51531
Rule IDs
  • SV-65741r1_rule
Gatekeeper settings must be configured correctly.
Checks: C-53865r2_chk

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

Fix: F-56337r1_fix

This can be enforced using a configuration profile.

b
The system must allow only applications downloaded from the App Store to run.
SA-7 - Medium - CCI-000663 - V-51535 - SV-65745r1_rule
RMF Control
SA-7
Severity
M
CCI
CCI-000663
Version
OSX8-00-00710
Vuln IDs
  • V-51535
Rule IDs
  • SV-65745r1_rule
Gatekeeper settings must be configured correctly.
Checks: C-53867r1_chk

To check to make sure only applications downloaded from the App Store are allowed to run, type the following code: system_profiler SPConfigurationProfileDataType | grep AllowIdentifiedDevelopers | awk '{ print $3 }' | sed 's/;//' If the returned value is not "0", this is a finding.

Fix: F-56339r1_fix

This can be enforced using a configuration profile.

b
A configuration profile must exist to restrict launching of applications.
SA-7 - Medium - CCI-000663 - V-51537 - SV-65747r1_rule
RMF Control
SA-7
Severity
M
CCI
CCI-000663
Version
OSX8-00-00705
Vuln IDs
  • V-51537
Rule IDs
  • SV-65747r1_rule
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.
Checks: C-53869r1_chk

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

Fix: F-56341r1_fix

A configuration profile should exist to restrict launching of applications.

a
The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives.
CP-9 - Low - CCI-000537 - V-51539 - SV-65749r1_rule
RMF Control
CP-9
Severity
L
CCI
CCI-000537
Version
OSX8-00-00560
Vuln IDs
  • V-51539
Rule IDs
  • SV-65749r1_rule
Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.
Checks: C-53871r1_chk

To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.

Fix: F-56345r1_fix

To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1

a
The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives.
CP-9 - Low - CCI-000535 - V-51541 - SV-65751r1_rule
RMF Control
CP-9
Severity
L
CCI
CCI-000535
Version
OSX8-00-00555
Vuln IDs
  • V-51541
Rule IDs
  • SV-65751r1_rule
Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.
Checks: C-53873r1_chk

To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.

Fix: F-56347r1_fix

To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1

a
Airdrop must be disabled.
CM-7 - Low - CCI-000382 - V-51543 - SV-65753r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000382
Version
OSX8-00-02050
Vuln IDs
  • V-51543
Rule IDs
  • SV-65753r1_rule
Airdrop must be disabled.
Checks: C-53875r1_chk

To check if Airdrop has been disabled, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableAirDrop | awk '{ Print $3 }' | sed 's/;//' If the result is not "1", this is a finding.

Fix: F-56349r1_fix

This is enforced using a configuration profile.

b
The system must not have the UUCP service active.
CM-7 - Medium - CCI-000382 - V-51547 - SV-65757r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00550
Vuln IDs
  • V-51547
Rule IDs
  • SV-65757r1_rule
The system must not have the UUCP service active.
Checks: C-53877r2_chk

To check if UUCP is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.uucp:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56351r1_fix

To disable UUCP, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.uucp" -dict Disabled -bool true

b
Bonjour multicast advertising must be disabled on the system.
CM-7 - Medium - CCI-000382 - V-51549 - SV-65759r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00545
Vuln IDs
  • V-51549
Rule IDs
  • SV-65759r1_rule
Bonjour multicast advertising must be disabled on the system.
Checks: C-53879r1_chk

To check if multicast advertisements have been disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | grep NoMulticastAdvertisements If nothing is returned, this is a finding.

Fix: F-56353r1_fix

To configure Bonjour to disable multicast advertising, run the following command: sudo /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

b
Location Services must be disabled.
CM-7 - Medium - CCI-000382 - V-51551 - SV-65761r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00535
Vuln IDs
  • V-51551
Rule IDs
  • SV-65761r1_rule
Location Services must be disabled.
Checks: C-53881r1_chk

The setting is found in System Preferences-&gt;Security &amp; Privacy-&gt;Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableLocationServices | awk '{ print $3 }' | sed 's/;//' If the result is not "1" this is a finding.

Fix: F-56355r1_fix

The setting is found in System Preferences->Security & Privacy->Location Services. Uncheck the box that says "Enable Location Services". This setting can be enforced using a configuration profile.

b
Find My Mac messenger must be disabled.
CM-7 - Medium - CCI-000382 - V-51553 - SV-65763r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00532
Vuln IDs
  • V-51553
Rule IDs
  • SV-65763r1_rule
Find My Mac messenger must be disabled.
Checks: C-53883r2_chk

To check if Find My Mac messenger is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacmessenger:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56357r1_fix

To disable Find My Mac messenger, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacmessenger" -dict Disabled -bool true

b
Find My Mac must be disabled.
CM-7 - Medium - CCI-000382 - V-51555 - SV-65765r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00531
Vuln IDs
  • V-51555
Rule IDs
  • SV-65765r1_rule
Find My Mac must be disabled.
Checks: C-53885r1_chk

To check if Find My Mac is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56359r1_fix

To disable Find My Mac, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacd" -dict Disabled -bool true

b
Sending diagnostic and usage data to Apple must be disabled.
CM-7 - Medium - CCI-000382 - V-51557 - SV-65767r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000382
Version
OSX8-00-00530
Vuln IDs
  • V-51557
Rule IDs
  • SV-65767r1_rule
Sending diagnostic and usage data to Apple must be disabled.
Checks: C-53887r1_chk

The setting is found in System Preferences-&gt;Security &amp; Privacy-&gt;Diagnostics &amp; Usage. If the box that says "Send diagnostic &amp; usage data to Apple" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep AutoSubmit | awk '{ print $3 }' | sed 's/;//' If the result is not "AutoSubmit = 0;" this is a finding.

Fix: F-56361r1_fix

The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage Uncheck the box that says "Send diagnostic & usage data to Apple. This setting can be enforced using a configuration profile.

b
Remote Apple Events must be disabled.
CM-7 - Medium - CCI-000381 - V-51559 - SV-65769r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00975
Vuln IDs
  • V-51559
Rule IDs
  • SV-65769r1_rule
Remote Apple Events must be disabled.
Checks: C-53889r1_chk

To check if Remote Apple Events is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AEServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56363r1_fix

To disable Remote Apple Events, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AEServer" -dict Disabled -bool true

b
The system preference panel iCloud must be removed.
CM-7 - Medium - CCI-000381 - V-51561 - SV-65771r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00520
Vuln IDs
  • V-51561
Rule IDs
  • SV-65771r1_rule
The system preference panel iCloud must be removed.
Checks: C-53891r1_chk

To check for the existence of the iCloud preference panel, run the following command: ls -ald /System/Library/PreferencePanes/iCloudPref.prefPane If anything is returned, this is a finding.

Fix: F-56367r1_fix

To remove the iCloud preference pane run the following command: sudo rm -Rf /System/Library/PreferencePanes/iCloudPref.prefPane

a
The application Mail must be removed.
CM-7 - Low - CCI-000381 - V-51565 - SV-65775r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00515
Vuln IDs
  • V-51565
Rule IDs
  • SV-65775r1_rule
The application Mail must be removed.
Checks: C-53893r1_chk

To check for the existence of Mail, run the following command: ls -ald /Applications/Mail.app If anything is returned, this is a finding.

Fix: F-56369r1_fix

To remove Mail run the following command: sudo rm -Rf /Applications/Mail.app

a
The application Contacts must be removed.
CM-7 - Low - CCI-000381 - V-51567 - SV-65777r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00510
Vuln IDs
  • V-51567
Rule IDs
  • SV-65777r1_rule
The application Contacts must be removed.
Checks: C-53895r1_chk

To check for the existence of Contacts, run the following command: ls -ald /Applications/Contacts.app If anything is returned, this is a finding.

Fix: F-56373r1_fix

To remove Contacts run the following command: sudo rm -Rf /Applications/Contacts.app

a
The application Calendar must be removed.
CM-7 - Low - CCI-000381 - V-51569 - SV-65779r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00505
Vuln IDs
  • V-51569
Rule IDs
  • SV-65779r1_rule
The application Calendar must be removed.
Checks: C-53897r1_chk

To check for the existence of the Calendar application run the following command: ls -ald /Applications/Calendar.app If anything is returned, this is a finding.

Fix: F-56375r1_fix

To remove Calendar, run the following command: sudo rm -Rf /Applications/Calendar.app

b
The application App Store must be removed.
CM-7 - Medium - CCI-000381 - V-51571 - SV-65781r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00500
Vuln IDs
  • V-51571
Rule IDs
  • SV-65781r1_rule
The application App Store must be removed.
Checks: C-53899r1_chk

To check for the existence of App Store, run the following command: ls -ald /Applications/App\ Store.app If anything is returned, this is a finding.

Fix: F-56377r1_fix

To remove App Store, run the following command: sudo rm -Rf /Applications/App\ Store.app

a
The application image capture must be removed.
CM-7 - Low - CCI-000381 - V-51575 - SV-65785r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00495
Vuln IDs
  • V-51575
Rule IDs
  • SV-65785r1_rule
The application Image Capture must be removed.
Checks: C-53901r1_chk

To check for the existence of Image Capture, run the following command: ls -ald /Applications/Image\ Capture.app If anything is returned, this is a finding.

Fix: F-56379r1_fix

To remove Image Capture, run the following command: sudo rm -Rf /Applications/Image\ Capture.app

b
The application Messages must be removed.
CM-7 - Medium - CCI-000381 - V-51579 - SV-65789r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00490
Vuln IDs
  • V-51579
Rule IDs
  • SV-65789r1_rule
The application Messages must be removed.
Checks: C-53903r1_chk

To check for the existence of Messages, run the following command: ls -ald /Applications/Messages.app If anything is returned, this is a finding.

Fix: F-56383r1_fix

To remove Messages, run the following command: sudo rm -Rf /Applications/Messages.app

a
The application iTunes must be removed.
CM-7 - Low - CCI-000381 - V-51581 - SV-65791r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00485
Vuln IDs
  • V-51581
Rule IDs
  • SV-65791r1_rule
The application iTunes must be removed.
Checks: C-53905r1_chk

To check for the existence of iTunes run the following command: ls -ald /Applications/iTunes.app If anything is returned, this is a finding.

Fix: F-56385r1_fix

To remove iTunes, run the following command: sudo rm -Rf /Applications/iTunes.app

a
The application Game Center must be disabled.
CM-7 - Low - CCI-000381 - V-51583 - SV-65793r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00481
Vuln IDs
  • V-51583
Rule IDs
  • SV-65793r1_rule
The application Game Center must be disabled.
Checks: C-53907r1_chk

To check if a configuration profile is configured to disable Game Center, run the following command: system_profiler SPConfigurationProfileDataType | grep GKFeatureGameCenterAllowed | awk '{ print $3 }' | sed 's/;//' If the result is not "0", this is a finding. This requirement is N/A if requirement OSX8-00-00480 is met.

Fix: F-56387r1_fix

This is enforced using a configuration profile.

a
The application Game Center must be removed.
CM-7 - Low - CCI-000381 - V-51593 - SV-65803r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00480
Vuln IDs
  • V-51593
Rule IDs
  • SV-65803r1_rule
The application Game Center must be removed.
Checks: C-53917r1_chk

To check for the existence of Game Center, run the following command: ls -ald /Applications/Game\ Center.app If anything is returned, this is a finding.

Fix: F-56397r1_fix

To remove Game Center, run the following command: sudo rm -Rf /Applications/Game\ Center.app

a
The application FaceTime must be removed.
CM-7 - Low - CCI-000381 - V-51595 - SV-65805r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00475
Vuln IDs
  • V-51595
Rule IDs
  • SV-65805r1_rule
The application FaceTime must be removed.
Checks: C-53919r1_chk

To check for the existence of FaceTime, run the following command: ls -ald /Applications/FaceTime.app If anything is returned, this is a finding.

Fix: F-56399r1_fix

To remove FaceTime, run the following command: sudo rm -Rf /Applications/FaceTime.app

a
The application Chess must be removed.
CM-7 - Low - CCI-000381 - V-51597 - SV-65807r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00470
Vuln IDs
  • V-51597
Rule IDs
  • SV-65807r1_rule
The application Chess must be removed.
Checks: C-53921r1_chk

To check for the existence of Chess, run the following command: ls -ald /Applications/Chess.app If anything is returned, this is a finding.

Fix: F-56401r1_fix

To remove Chess, run the following command: sudo rm -Rf /Applications/Chess.app

a
The application PhotoBooth must be removed.
CM-7 - Low - CCI-000381 - V-51601 - SV-65811r1_rule
RMF Control
CM-7
Severity
L
CCI
CCI-000381
Version
OSX8-00-00465
Vuln IDs
  • V-51601
Rule IDs
  • SV-65811r1_rule
The application Photo Booth must be removed.
Checks: C-53923r1_chk

To check for the existence of Photo Booth, run the following command: ls -ald /Applications/Photo\ Booth.app If anything is returned, this is a finding.

Fix: F-56403r1_fix

To remove Photo Booth, run the following command: sudo rm -Rf /Applications/Photo\ Booth.app

b
Application Restrictions must be enabled.
CM-7 - Medium - CCI-000381 - V-51603 - SV-65813r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00460
Vuln IDs
  • V-51603
Rule IDs
  • SV-65813r1_rule
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions) and will reduce the attack surface of the operating system. End-users should be restricted to running only approved applications.
Checks: C-53925r1_chk

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

Fix: F-56405r1_fix

A configuration profile should exist to restrict launching of applications.

b
The racoon daemon must be disabled.
CM-7 - Medium - CCI-000381 - V-51605 - SV-65815r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00144
Vuln IDs
  • V-51605
Rule IDs
  • SV-65815r1_rule
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. The IKE service, racoon, should be disabled.
Checks: C-53927r2_chk

To check if racoon is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.racoon:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56407r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.racoon" -dict Disabled -bool true

b
The NFS stat daemon must be disabled.
CM-7 - Medium - CCI-000381 - V-51609 - SV-65819r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00143
Vuln IDs
  • V-51609
Rule IDs
  • SV-65819r1_rule
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Checks: C-53929r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.statd.notify:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56409r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.statd.notify" -dict Disabled -bool true

b
The NFS lock daemon must be disabled.
CM-7 - Medium - CCI-000381 - V-51619 - SV-65829r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00142
Vuln IDs
  • V-51619
Rule IDs
  • SV-65829r1_rule
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Checks: C-53931r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.lockd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56419r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.lockd" -dict Disabled -bool true

a
The system must be configured to set the time automatically from a network time server.
AU-8 - Low - CCI-000160 - V-51621 - SV-65831r1_rule
RMF Control
AU-8
Severity
L
CCI
CCI-000160
Version
OSX8-00-00325
Vuln IDs
  • V-51621
Rule IDs
  • SV-65831r1_rule
The system must be configured to set the time automatically from a network time server.
Checks: C-53933r1_chk

To check the setting for using a network time server, run the following command: systemsetup -getusingnetworktime | grep On If this is set to "off" this is a finding.

Fix: F-56421r1_fix

To enable the system to use a network time server, run the following: sudo systemsetup -setusingnetworktime on

b
The network time server must be an authorized DoD time source.
AU-8 - Medium - CCI-000160 - V-51623 - SV-65833r1_rule
RMF Control
AU-8
Severity
M
CCI
CCI-000160
Version
OSX8-00-00330
Vuln IDs
  • V-51623
Rule IDs
  • SV-65833r1_rule
The system must be configured to set the time automatically from a network time server. The network time server must be an authorized DoD time source.
Checks: C-53937r1_chk

To display the server used to synchronize time with, run the following command: systemsetup -getnetworktimeserver If the incorrect organizationally-defined server is listed, this is a finding.

Fix: F-56423r1_fix

To define the server to use for time synchronization, run the following command: sudo systemsetup -setnetworktimeserver <IP or FQDN> where <IP or FQDN> is the IP address or fully qualified domain name of the time server to use.

b
Audit Log files must have the correct permissions.
AU-9 - Medium - CCI-000162 - V-51625 - SV-65835r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
OSX8-00-00335
Vuln IDs
  • V-51625
Rule IDs
  • SV-65835r1_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit Log files should have the correct permissions. To ensure the veracity of audit data the operating system must protect audit information from unauthorized access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include ensuring log files have the proper file system permissions utilizing file system protections and limiting log data location. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-53939r1_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

Fix: F-56427r1_fix

For any log file that returns an incorrect permission value, run the following command: chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

b
Audit log files must be owned by root:wheel.
AU-9 - Medium - CCI-000162 - V-51627 - SV-65837r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
OSX8-00-00340
Vuln IDs
  • V-51627
Rule IDs
  • SV-65837r1_rule
Audit log files should be owned by root:wheel.
Checks: C-53941r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 $4 ":" $9 }' The results should read "0:0" in the first column. The first 0 is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

Fix: F-56429r2_fix

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

b
The NFS daemon must be disabled.
CM-7 - Medium - CCI-000381 - V-51629 - SV-65839r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00141
Vuln IDs
  • V-51629
Rule IDs
  • SV-65839r1_rule
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Checks: C-53935r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.nfsd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56425r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.nfsd" -dict Disabled -bool true

b
Audit log files must not contain ACLs.
AU-9 - Medium - CCI-000162 - V-51631 - SV-65841r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
OSX8-00-00345
Vuln IDs
  • V-51631
Rule IDs
  • SV-65841r1_rule
Audit log files should not contain ACLs.
Checks: C-53943r2_chk

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.

Fix: F-56433r1_fix

For any log file that returns an ACL, run the following command: sudo chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

b
Apple File Sharing must be disabled.
CM-7 - Medium - CCI-000381 - V-51633 - SV-65843r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
OSX8-00-00140
Vuln IDs
  • V-51633
Rule IDs
  • SV-65843r1_rule
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.
Checks: C-53945r2_chk

To check if file sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AppleFileServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56435r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AppleFileServer" '{ "Disabled" = 1; }'

b
Audit Log files must have the correct permissions.
AU-9 - Medium - CCI-000163 - V-51635 - SV-65845r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
OSX8-00-00350
Vuln IDs
  • V-51635
Rule IDs
  • SV-65845r1_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-53947r1_chk

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions to be "440" or less permissive. If not, this is a finding.

Fix: F-56437r1_fix

For any log file that returns an incorrect permission value, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

b
The operating system must employ automated mechanisms to centrally verify configuration settings.
CM-6 - Medium - CCI-000372 - V-51639 - SV-65849r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000372
Version
OSX8-00-00455
Vuln IDs
  • V-51639
Rule IDs
  • SV-65849r1_rule
Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when verifying configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Checks: C-53949r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56439r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

b
Audit log files must be owned by root:wheel.
AU-9 - Medium - CCI-000163 - V-51641 - SV-65851r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
OSX8-00-00355
Vuln IDs
  • V-51641
Rule IDs
  • SV-65851r1_rule
Audit log files should be owned by root:wheel.
Checks: C-53951r1_chk

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s ls -l `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should be owned by root:wheel. If not, this is a finding.

Fix: F-56441r1_fix

For any log file that returns an incorrect permission value, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

b
The audit log folder must be owned by root:wheel.
AU-9 - Medium - CCI-000164 - V-51643 - SV-65853r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
OSX8-00-00365
Vuln IDs
  • V-51643
Rule IDs
  • SV-65853r1_rule
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-53953r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory, with the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

Fix: F-56443r1_fix

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

b
Configuration profiles must be applied to the system.
CM-6 - Medium - CCI-000371 - V-51645 - SV-65855r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000371
Version
OSX8-00-00450
Vuln IDs
  • V-51645
Rule IDs
  • SV-65855r1_rule
Configuration settings are the configurable security-related parameters of the operating system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when making configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Checks: C-53955r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56445r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

b
The audit log folder must have the correct permissions.
AU-9 - Medium - CCI-000164 - V-51647 - SV-65857r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
OSX8-00-00370
Vuln IDs
  • V-51647
Rule IDs
  • SV-65857r1_rule
The audit log folder should have correct permissions.
Checks: C-53957r1_chk

To check the permissions of the audit log files, run the following command: stat -f "%A:%N" `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

Fix: F-56447r1_fix

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 /var/audit

b
The audit log folder must not have ACLs.
AU-9 - Medium - CCI-000164 - V-51651 - SV-65861r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000164
Version
OSX8-00-00375
Vuln IDs
  • V-51651
Rule IDs
  • SV-65861r1_rule
The audit log folder should not have ACLs.
Checks: C-53959r1_chk

To check for ACLs of the audit log folder run the following command: ls -le `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/"}'` | grep -v current The audit log folder listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If the folder contains this information, this is a finding.

Fix: F-56449r1_fix

If the log folder has an ACL, run the following command: chmod -N [audit log folder] where [audit log folder] is the full path to the log folder in question.

b
The audit log folder must have correct permissions.
AU-10 - Medium - CCI-000166 - V-51653 - SV-65863r1_rule
RMF Control
AU-10
Severity
M
CCI
CCI-000166
Version
OSX8-00-00205
Vuln IDs
  • V-51653
Rule IDs
  • SV-65863r1_rule
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Checks: C-53961r2_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

Fix: F-56451r1_fix

For every log file that returns incorrect permissions, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

c
The Security assessment policy subsystem must be enabled.
CM-5 - High - CCI-000352 - V-51655 - SV-65865r1_rule
RMF Control
CM-5
Severity
H
CCI
CCI-000352
Version
OSX8-00-00430
Vuln IDs
  • V-51655
Rule IDs
  • SV-65865r1_rule
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical software must be signed with a certificate that is recognized and approved by the organization.
Checks: C-53963r1_chk

To check the status of the Security assessment policy subsystem, run the following command: sudo spctl --status | grep enabled If nothing is returned, this is a finding.

Fix: F-56455r1_fix

To enable the Security assessment policy subsystem, run the following command: sudo spctl --master-enable

b
The audit log folder must be owned by root:wheel.
AU-10 - Medium - CCI-000166 - V-51657 - SV-65867r1_rule
RMF Control
AU-10
Severity
M
CCI
CCI-000166
Version
OSX8-00-00210
Vuln IDs
  • V-51657
Rule IDs
  • SV-65867r1_rule
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Checks: C-53965r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 ":" $4 ":" $9 }' The results should read "0:0" in the first column. The first "0" is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

Fix: F-56457r1_fix

For every log file that is not owned by root, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

b
The audit log folder must be owned by root:wheel.
AU-10 - Medium - CCI-000166 - V-51659 - SV-65869r1_rule
RMF Control
AU-10
Severity
M
CCI
CCI-000166
Version
OSX8-00-00215
Vuln IDs
  • V-51659
Rule IDs
  • SV-65869r1_rule
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Checks: C-53967r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory. With the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

Fix: F-56461r1_fix

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

b
The password-related hint field must not be used.
CM-6 - Medium - CCI-000366 - V-51663 - SV-65873r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00630
Vuln IDs
  • V-51663
Rule IDs
  • SV-65873r1_rule
The password-related hint field must not be used.
Checks: C-53969r1_chk

To check if Password hints are turn on, run the following command: system_profiler SPConfigurationProfileDataType | grep RetriesUntilHint | awk '{ print $3 }' | sed 's/;//' If the result is not "0" or not defined, this is a finding.

Fix: F-56463r1_fix

This is enforced using a configuration profile.

b
The audit log folder must have correct permissions.
AU-10 - Medium - CCI-000166 - V-51665 - SV-65875r1_rule
RMF Control
AU-10
Severity
M
CCI
CCI-000166
Version
OSX8-00-00220
Vuln IDs
  • V-51665
Rule IDs
  • SV-65875r1_rule
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Checks: C-53971r1_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

Fix: F-56465r1_fix

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`

b
The audit log files must not contain ACLs.
AU-10 - Medium - CCI-000166 - V-51667 - SV-65877r1_rule
RMF Control
AU-10
Severity
M
CCI
CCI-000166
Version
OSX8-00-00225
Vuln IDs
  • V-51667
Rule IDs
  • SV-65877r1_rule
The audit log files should not contain ACLs.
Checks: C-53973r3_chk

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any file contains this information, this is a finding.

Fix: F-56467r1_fix

For any log file that returns an ACL, run the following command: chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

b
The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
AU-12 - Medium - CCI-000169 - V-51671 - SV-65881r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
OSX8-00-00240
Vuln IDs
  • V-51671
Rule IDs
  • SV-65881r1_rule
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Checks: C-53975r1_chk

The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.

Fix: F-56469r1_fix

To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.

b
The flags option must be set in /etc/security/audit_control.
AU-12 - Medium - CCI-000172 - V-51673 - SV-65883r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
OSX8-00-00245
Vuln IDs
  • V-51673
Rule IDs
  • SV-65883r1_rule
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).
Checks: C-53979r1_chk

The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.

Fix: F-56471r1_fix

To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.

b
The operating system must enforce minimum password length.
IA-5 - Medium - CCI-000205 - V-51675 - SV-65885r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
OSX8-00-00590
Vuln IDs
  • V-51675
Rule IDs
  • SV-65885r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-53977r1_chk

To check the currently applied policies for password and accounts, use the following command: sudo system_profiler SPConfigurationProfileDataType | grep minLength The parameter minLength should be "15". If it is less than "15", this is a finding.

Fix: F-56473r1_fix

To set the policy to force the length of a password, a configuration profile must be created and applied to the workstation.

b
The OS X firewall must have logging enabled.
AU-12 - Medium - CCI-000172 - V-51677 - SV-65887r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
OSX8-00-00950
Vuln IDs
  • V-51677
Rule IDs
  • SV-65887r1_rule
Firewall logging must be enabled. This requirement is NA if HBSS is used.
Checks: C-53981r1_chk

To check if the OS X firewall has logging enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | grep on If the result is not enabled, this is a finding.

Fix: F-56475r1_fix

To enable the firewall logging, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

b
The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
AU-12 - Medium - CCI-000174 - V-51679 - SV-65889r1_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000174
Version
OSX8-00-00230
Vuln IDs
  • V-51679
Rule IDs
  • SV-65889r1_rule
Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). The events that occur must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. The operating system must be able to have audit events correlated to the level of tolerance determined by the organization.
Checks: C-53983r2_chk

To see if the audit daemon is loaded, run the following command: sudo launchctl list | grep -i com.apple.auditd The result returned should be " - 0 com.apple.auditd". If this is not running, this is a finding.

Fix: F-56477r2_fix

Configuration of startup processes is done via configuration files for each process or daemon. Make sure the file /System/Library/LaunchDaemons/com.apple.auditd.plist exists. If not, you may need to obtain a copy from the original installation media.

b
The OCSPStyle option must be set correctly.
IA-5 - Medium - CCI-000185 - V-51681 - SV-65891r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OSX8-00-00615
Vuln IDs
  • V-51681
Rule IDs
  • SV-65891r1_rule
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-53985r1_chk

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56479r1_fix

This is enforced using a configuration profile.

b
The OCSPSufficientPerCert option must be set correctly.
IA-5 - Medium - CCI-000185 - V-51683 - SV-65893r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OSX8-00-00616
Vuln IDs
  • V-51683
Rule IDs
  • SV-65893r1_rule
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-53987r1_chk

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56481r1_fix

This is enforced using a configuration profile.

b
The RevocationFirst option must be set correctly.
IA-5 - Medium - CCI-000185 - V-51685 - SV-65895r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OSX8-00-00617
Vuln IDs
  • V-51685
Rule IDs
  • SV-65895r1_rule
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-53991r1_chk

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep RevocationFirst | awk '{ print $3 }' | sed 's/;//' The result should be "OCSP". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56483r1_fix

This is enforced using a configuration profile.

c
The telnet service must be disabled.
IA-5 - High - CCI-000197 - V-51687 - SV-65897r1_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
OSX8-00-00605
Vuln IDs
  • V-51687
Rule IDs
  • SV-65897r1_rule
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.
Checks: C-53989r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56485r1_fix

To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

b
There must be no .netrc files on the system.
IA-5 - Medium - CCI-000196 - V-51689 - SV-65899r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
OSX8-00-00600
Vuln IDs
  • V-51689
Rule IDs
  • SV-65899r1_rule
Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. There must be no ".netrc" files on the system.
Checks: C-53993r1_chk

To see if there are any ".netrc" files on the system, run the following command: sudo find / -name .netrc If there is anything found, this is a finding.

Fix: F-56487r1_fix

To remove any ".netrc" files, run the following command: find / -name .netrc -exec rm {} \;

b
The CRLSufficientPerCert option must be set correctly.
IA-5 - Medium - CCI-000185 - V-51691 - SV-65901r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
OSX8-00-00619
Vuln IDs
  • V-51691
Rule IDs
  • SV-65901r1_rule
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-53995r1_chk

To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56489r1_fix

This is enforced using a configuration profile.

b
The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
RA-5 - Medium - CCI-001069 - V-51785 - SV-65995r1_rule
RMF Control
RA-5
Severity
M
CCI
CCI-001069
Version
OSX8-00-01465
Vuln IDs
  • V-51785
Rule IDs
  • SV-65995r1_rule
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
Checks: C-53999r3_chk

Ask the SA or IAO if an approved anti-virus solution is loaded on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no local anti-virus solution installed on the system, this is a finding.

Fix: F-56599r2_fix

Install an approved anti-virus solution onto the system.

b
Automatic actions must be disabled for picture CDs.
AC-19 - Medium - CCI-000087 - V-51845 - SV-66059r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000087
Version
OSX8-00-00100
Vuln IDs
  • V-51845
Rule IDs
  • SV-66059r1_rule
Automatic actions must be disabled for picture CDs.
Checks: C-54009r1_chk

To check if the system has the correct setting for picture CDs open up System Preferences, CDs &amp; DVDs. The setting for "When you insert a picture CD" should be set to "Ignore", if it is not, this is a finding.

Fix: F-56661r1_fix

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a picture CD" to "Ignore".

b
Bluetooth support software must be disabled.
AC-19 - Medium - CCI-000086 - V-51847 - SV-66061r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
OSX8-00-00080
Vuln IDs
  • V-51847
Rule IDs
  • SV-66061r1_rule
Bluetooth support software must be disabled.
Checks: C-54011r1_chk

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Fix: F-56663r1_fix

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions

b
Infrared [IR] support must be removed.
AC-19 - Medium - CCI-000086 - V-51929 - SV-66145r1_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000086
Version
OSX8-00-00075
Vuln IDs
  • V-51929
Rule IDs
  • SV-66145r1_rule
Infrared [IR] support must be removed.
Checks: C-54019r2_chk

To check if the software support for IR is installed, run the following command: sudo ls -d /System/Library/Extensions/AppleIRController.kext If the result shows the file is present, this is a finding.

Fix: F-56737r1_fix

To remove support for IR, run the following command: sudo rm -rf /System/Library/Extensions/AppleIRController.kext

b
The FireWire protocol driver must be removed or disabled.
CM-6 - Medium - CCI-000366 - V-53857 - SV-68075r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00845
Vuln IDs
  • V-53857
Rule IDs
  • SV-68075r1_rule
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Checks: C-54701r1_chk

This command checks for the presence of the FireWire protocol kext (driver). This is the primary driver for FireWire communication and, if removed, will disable the ability to communicate with FireWire devices. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

Fix: F-58689r1_fix

To remove the driver for FireWire, run the following command: sudo rm -Rf /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext This should be enforced by a configuration profile.

b
The USB mass storage driver must be removed or disabled.
CM-6 - Medium - CCI-000366 - V-53859 - SV-68077r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00850
Vuln IDs
  • V-53859
Rule IDs
  • SV-68077r1_rule
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Checks: C-54703r1_chk

This command checks for the presence of the USB mass storage kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOUSBMassStorageClass.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

Fix: F-58691r1_fix

To remove the USB mass storage kext, run the following command: sudo rm -Rf /System/Library/Extensions/IOUSBMassStorageClass.kext This should be enforced using a configuration profile.

b
The Apple Storage Drivers must be removed or disabled.
CM-6 - Medium - CCI-000366 - V-53861 - SV-68079r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00855
Vuln IDs
  • V-53861
Rule IDs
  • SV-68079r1_rule
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Checks: C-54705r1_chk

This command checks for the presence of the Apple Storage Drivers kext file. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/AppleStorageDrivers.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

Fix: F-58693r1_fix

To remove the Apple Storage Drivers, run the following command: sudo rm -Rf /System/Library/Extensions/AppleStorageDrivers.kext This should be enforced by a configuration profile.

b
The iPod Driver must be removed.
CM-6 - Medium - CCI-000366 - V-53863 - SV-68081r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00860
Vuln IDs
  • V-53863
Rule IDs
  • SV-68081r1_rule
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Checks: C-54707r1_chk

This command checks for the presence of the iPod Driver kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/iPodDriver

Fix: F-58695r1_fix

To remove the iPod Driver kext, run the following command: sudo rm -Rf /System/Library/Extensions/iPodDriver.kext

b
All users must use PKI authentication for login and privileged access.
CM-6 - Medium - CCI-000366 - V-53865 - SV-68083r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-02055
Vuln IDs
  • V-53865
Rule IDs
  • SV-68083r1_rule
Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emergency access to a system for maintenance is acceptable, however.)
Checks: C-54709r1_chk

Ask the SA or IAO if an approved PKI authentication solution is implemented on the system for user logins and privileged access. If a non-emergency account can log into the system or gain privileged access without a smart card, this is a finding.

Fix: F-58697r1_fix

Implement PKI authentication using approved third-party PKI tools, to integrate with an existing directory services infrastructure or local password database, where no directory services infrastructure exists.

b
The system must be integrated into a directory services infrastructure.
CM-6 - Medium - CCI-000366 - V-53867 - SV-68085r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-02060
Vuln IDs
  • V-53867
Rule IDs
  • SV-68085r1_rule
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active Directory, allow centralized management of users and passwords.
Checks: C-54711r1_chk

Ask the SA or IAO if the system is integrated into a directory services infrastructure, such as Active Directory. If the system is not integrated into a directory service infrastructure, this is a finding. Mitigation: If there is no directory services infrastructure available, reduce severity to CAT III.

Fix: F-58699r1_fix

Integrate the system into an existing directory services infrastructure, such as Active Directory.

b
The usbmuxd daemon must be disabled.
CM-6 - Medium - CCI-000366 - V-53869 - SV-68087r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
OSX8-00-00862
Vuln IDs
  • V-53869
Rule IDs
  • SV-68087r1_rule
Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices.
Checks: C-54713r1_chk

To check the status of the usbmuxd daemon, run the following command: sudo launchctl list | grep usbmuxd If there is any output, this is a finding.

Fix: F-58701r1_fix

To disable the usbmuxd daemon, run the following command: sudo launchtctl unload -w /System/Library/LaunchDaemons/com.apple.usbmuxd.plist