Apple OS X 10.8 (Mountain Lion) Workstation STIG

Checks: C-53577r1_chk

If a temporary user has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

Fix: F-56003r1_fix

To set an expiration date for a temporary account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

Generate Mitigation Statement:

Checks: C-53579r1_chk

To check if the login window is configured to prompt for user name and password, run the following command: system_profiler SPConfigurationProfileDataType | grep SHOWFULLNAME | awk '{ print $3 }' | sed 's/;//' If this setting is not defined, or not set to "1", this is a finding.

Fix: F-56031r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53581r2_chk

To check the setting for authentication to unlock the screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "print :rights:system.login.screensaver:rule" /etc/authorization If the result is not "authenticate-session-owner" this is a finding.

Fix: F-56033r1_fix

To disable the ability for an administrator to unlock a screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "set :rights:system.login.screensaver:rule authenticate-session-owner" /etc/authorization

Generate Mitigation Statement:

Checks: C-53583r1_chk

To check the permissions and ownership of the system files, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

Fix: F-56035r1_fix

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

Generate Mitigation Statement:

Checks: C-53585r1_chk

To check if the Users home directory has any extended ACLs, run the following command: ls -al /Users Any of the folders that contain a "+" character in the permissions is a finding.

Fix: F-56037r1_fix

To remove ACLs from a folder, run the following command: sudo chmod -R -N /Users/[username] Where [username] is the folder that contains ACLs.

Generate Mitigation Statement:

Checks: C-53587r1_chk

To view the list of device files that are on the system, run the following command: sudo find / -perm -2 -a \( -type b -o -type c \) Check the permissions on the directories above subdirectories of the returned items. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding.

Fix: F-56039r1_fix

To remove the writable option for other users, run the following command: sudo chmod o-w [path to device file]

Generate Mitigation Statement:

Checks: C-53593r1_chk

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not group-owned by a group that a user is not a member of, this is a finding.

Fix: F-56045r1_fix

To change the group-ownership of the home directory and files, run the following command: sudo chgrp -R [group] /Users/username

Generate Mitigation Statement:

Checks: C-53595r1_chk

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not owned by the user, this is a finding.

Fix: F-56047r1_fix

To change the ownership of the files and directories to the owner of the home directory, run the following command: sudo chown -R username /Users/username

Generate Mitigation Statement:

Checks: C-53597r1_chk

To view the umask setting, run the following command: awk '{ print $2 }' /etc/launchd-user.conf If the command produces an error, or the result is not "027", this is a finding.

Fix: F-56049r1_fix

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 027' > /etc/launchd-user.conf"

Generate Mitigation Statement:

Checks: C-53599r1_chk

To view the umask setting, run the following command: umask If the setting is not "022", this is a finding.

Fix: F-56051r1_fix

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 022' > /etc/launchd.conf"

Generate Mitigation Statement:

Checks: C-53601r1_chk

To check if the newsyslog daemon is disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.newsyslog Disabled If the result shows a "1", this is a finding.

Fix: F-56053r1_fix

To ensure that the newsyslog daemon is not disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/com.apple.newsyslog Disabled -bool FALSE

Generate Mitigation Statement:

Checks: C-53603r1_chk

To view the settings for the log file rotation, run the following command: sudo grep -v "^#" /etc/newsyslog.conf The third column is the number of files to keep in rotation. If this is not set to the correct value for the organization, this is a finding.

Fix: F-56055r1_fix

Edit the /etc/newsyslog.conf file to configure the correct values.

Generate Mitigation Statement:

Checks: C-53605r1_chk

To list all of the administrator accounts on the system, run the following command: sudo dscl . -read /Groups/admin GroupMembership If any of the resulting accounts contain easy-to-guess names, this is a finding. An example of an easy to guess name would contain "admin" or "administrator".

Fix: F-56057r1_fix

Rename any accounts on the system that contain easy to guess names.

Generate Mitigation Statement:

Checks: C-53607r1_chk

To check if the system contains any ".forward" files, run the following command: find / -name .forward -print If anything is returned, this is a finding.

Fix: F-56059r1_fix

To remove any ".forward" files from the system, run the following command: find / -name .forward -exec rm {} \;

Generate Mitigation Statement:

Checks: C-53609r1_chk

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet Signing option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

Fix: F-56061r1_fix

To set the Active Directory configuration to require signing of packets, run the following command: sudo dsconfigad -packetsign require

Generate Mitigation Statement:

Checks: C-53611r1_chk

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet encryption option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

Fix: F-56063r1_fix

To set the Active Directory configuration to require encryption of packets, run the following command: sudo dsconfigad -packetencrypt require

Generate Mitigation Statement:

Checks: C-53615r1_chk

To check to see if UIDs below "500" are hidden, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow Hide500Users If the result is not "1", this is a finding.

Fix: F-56067r1_fix

To hide user accounts below "500", run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

Generate Mitigation Statement:

Checks: C-53617r1_chk

To list all of the accounts with a UID of "0", run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not "1", this is a finding.

Fix: F-56069r1_fix

Investigate as to why any additional accounts were set up with a UID of "0".

Generate Mitigation Statement:

Checks: C-53621r1_chk

To check if the OS X firewall has been enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is not enabled, this is a finding.

Fix: F-56073r1_fix

To enable the firewall run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

Generate Mitigation Statement:

Checks: C-53623r2_chk

To check if the system is configured to restart automatically after a power loss, run the following command: system_profiler SPConfigurationProfileDataType | grep "Automatic Restart On Power Loss" | awk '{ print $7 }' | sed 's/;//' If the result is not "0", this is a finding.

Fix: F-56075r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53625r1_chk

To check if Fast User Switching is enabled, run the following command: system_profiler SPConfigurationProfileDataType | grep MultipleSessionEnabled | awk '{ print $3 }' | sed 's/;//' If the setting is not "0", this is a finding.

Fix: F-56077r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53627r1_chk

To check if kernel core dumps are enabled, run the following command: sudo sysctl kern.coredump | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56079r1_fix

Edit the /etc/sysctl.conf file to include the following line: kern.coredump=0

Generate Mitigation Statement:

Checks: C-53629r1_chk

To display all directories that are writable by all, run the following command: sudo find / -type d -perm -1002 -not -uid 0 If anything is returned, this is a finding.

Fix: F-56081r1_fix

To change the ownership of any finding, run the following command: sudo find / -type d -perm -1002 -not -uid 0 -exec chown root {} \;

Generate Mitigation Statement:

Checks: C-53631r2_chk

To check if the finger service has been disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.fingerd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56083r1_fix

To ensure that the finger service is disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.fingerd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53633r2_chk

Run the following command to view all world-writable directories that do not have the sticky bit set: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.

Fix: F-56085r1_fix

Run the following command to set the sticky bit on all world-writable directories: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;

Generate Mitigation Statement:

Checks: C-53635r1_chk

To check if the prompt for Apple ID and iCloud are disabled for new users, run the following command: sudo defaults read /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant If there is no result, or the results do not include "DidSeeCloudSetup = 1 AND LastSeenCloudProductVersion = 10.8", this is a finding.

Fix: F-56087r1_fix

To ensure that the prompt for Apple ID and iCloud is disabled, run the following commands: sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE; sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.8"

Generate Mitigation Statement:

Checks: C-53637r1_chk

To see if any user account has configured an Apple ID for iCloud usage, run the following command: sudo find /Users/ -name "MobileMeAccounts.plist" -exec defaults read '{}' \; If the results show any accounts listed, this is a finding.

Fix: F-56089r1_fix

This must be manually resolved. With the affected user logged in, open System Preferences->iCloud. Choose "Sign Out".

Generate Mitigation Statement:

Checks: C-53643r1_chk

To list all of the files with the setuid bit set, run the following command: sudo find / -perm 4000 -exec ls -ldb {} \; If any of the files listed are not documented as needing to have the setuid bit set by the vendor, this is a finding

Fix: F-56095r1_fix

Document all of the files with the setuid bit set.

Generate Mitigation Statement:

Checks: C-53649r1_chk

To view a list of packages and applications installed on the system, run the following command: sudo pkgutil / --pkgs If any of the packages listed are not required for proper operation of the system, this is a finding.

Fix: F-56101r1_fix

If there are any unnecessary packages installed on the system, verify any dependencies and remove those not required.

Generate Mitigation Statement:

Checks: C-53651r1_chk

To check the ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the owner is not "root", this is a finding.

Fix: F-56103r1_fix

To change the ownership to "root", run the following command: sudo chown root /Library/Logs/DiagnosticReports/

Generate Mitigation Statement:

Checks: C-53653r2_chk

To check the permissions of the process core dump directory, run the following command: sudo stat -f %A /Library/Logs/DiagnosticReports/ If the permissions are not "0750", this is a finding.

Fix: F-56105r1_fix

To change the permissions of the directory, run the following command: sudo chmod 0750 /Library/Logs/DiagnosticReports/

Generate Mitigation Statement:

Checks: C-53655r2_chk

To check the group ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the group is not "admin", this is a finding.

Fix: F-56107r1_fix

To change the group ownership to ""admin run the following command: sudo chgrp admin /Library/Logs/DiagnosticReports/

Generate Mitigation Statement:

Checks: C-53657r1_chk

To check if the system is configured to respond to ICMP echoes, run the following command: sudo sysctl net.inet.icmp.bmcastecho | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56109r1_fix

To disable ICMP responses to broadcast traffic add the following line to /etc/sysctl.conf: net.inet.icmp.bmcastecho=1

Generate Mitigation Statement:

Checks: C-53659r3_chk

To check if the system is configured to accept source-routed packets, run the following command: sysctl net.inet.ip.accept_sourceroute | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56111r1_fix

To configure the system to not accept source-routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.accept_sourceroute=0

Generate Mitigation Statement:

Checks: C-53661r1_chk

To check if the system is configured to ignore ICMP redirect messages, run the following command: sysctl -a net.inet.icmp.drop_redirect | awk '{ print $NF }' If the value is not "1", this is a finding.

Fix: F-56113r1_fix

To configure the system to ignore ICMP redirect messages, add the following line to /etc/sysctl.conf: net.inet.icmp.drop_redirect=1

Generate Mitigation Statement:

Checks: C-53663r1_chk

To check if IP forwarding is enabled, run the following command: sysctl net.inet.ip.forwarding | awk '{ print $NF }' If the value is not "0", this is a finding.

Fix: F-56115r1_fix

To configure the system to disable IPv4 forwarding, add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=0

Generate Mitigation Statement:

Checks: C-53665r1_chk

To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet.ip.redirect | awk '{ print $NF }' If the value is not set to "0", this is a finding.

Fix: F-56117r1_fix

To disable ICMP redirects, add the following line to /etc/sysctl.conf: net.inet.ip.redirect=0

Generate Mitigation Statement:

Checks: C-53667r1_chk

To check if the system is configured to generate source-routed packets, run the following command: sysctl net.inet.ip.sourceroute | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56119r1_fix

To disable source routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.sourceroute=1

Generate Mitigation Statement:

Checks: C-53669r1_chk

To check if the system is configured to process ICMP timestamp requests, run the following command: sysctl net.inet.icmp.timestamp | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Fix: F-56121r1_fix

To disable ICMP timestamp responses, add the following line to /etc/sysctl.conf: net.inet.icmp.timestamp=1

Generate Mitigation Statement:

Checks: C-53671r1_chk

Disabling the microphone completely will also remove all audio output from the computer. If audio is not a mission requirement check for presence of the following files, presence of any of these files is a finding. ls -l /System/Library/Extensions/AppleUSBAudio.kext /System/Library/Extensions/IOAudioFamily.kext /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext If audio output is required for the mission the only way to disable the microphone and maintain kext file signatures is running the following command to ensure the input volume is 0. The volume can be checked by running the following script: osascript -e 'get volume settings' Any value other than "0" for "input volume" is a finding. Microphone hardware can also be physically removed from the device prior to deployment to meet this requirement.

Fix: F-56123r1_fix

To disable all audio input/output on the device run the following commands: sudo rm -rf /System/Library/Extensions/AppleUSBAudio.kext;sudo rm -rf /System/Library/Extensions/IOAudioFamily.kext;sudo rm -rf /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext To fix a non "0" input volume on a machine that requires audio output functionality, run this command on a repeating interval or Manually change the input volume to "0": osascript -e 'set volume input volume 0'

Generate Mitigation Statement:

Checks: C-53673r1_chk

To list the network devices that are enabled on the system, run the following command: sudo networksetup -listallnetworkservices If any service is listed that is not being used, it must be disabled.

Fix: F-56125r1_fix

To disable a network service, run the following command: sudo networksetup -setnetworkserviceenabled <networkservice> off

Generate Mitigation Statement:

Checks: C-53675r1_chk

To check if the OSX firewall (not pf.conf) is running in stealth mode run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{ print $NF }' If the result is "Disabled", this is a finding.

Fix: F-56127r1_fix

To enable the firewall stealth mode, run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Generate Mitigation Statement:

Checks: C-53677r2_chk

To check if the system is using secure virtual memory run the following command: sudo sysctl vm.swapusage | awk '{ print $NF }' If the result does not show (encrypted), this is a finding.

Fix: F-56129r1_fix

To ensure secure virtual memory is secure, run the following command: sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE

Generate Mitigation Statement:

Checks: C-53679r1_chk

To check which software update are available for the system, run the following command: sudo softwareupdate --list --all Review the results and determine if any updates need to be applied. If there are any required updates that have not been applied, this is a finding.

Fix: F-56131r1_fix

To install software updates, run the following command: sudo softwareupdate --install [name of update]

Generate Mitigation Statement:

Checks: C-53681r1_chk

To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.

Fix: F-56133r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53685r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

Fix: F-56135r1_fix

Install an approved HBSS or firewall solution onto the system.

Generate Mitigation Statement:

Checks: C-53689r1_chk

Run the following command to list all network interfaces and services active on them: networksetup -listallnetworkservices If any enabled network interfaces have IPv6 enabled that do not require the use of IPv6, this is a finding.

Fix: F-56139r1_fix

Run: networksetup -setv6off Ethernet to turn ipv6 addressing off for the Ethernet interface. Repeat command for each interface that is active, interface names are case sensitive.

Generate Mitigation Statement:

Checks: C-53691r1_chk

To show the proxy configuration for the Ethernet interface, run the following command: networksetup -getautoproxyurl Ethernet replace "Ethernet" with the plain English name of the network interface you need to verify. If there is no proxy defined, or enabled is set to "No", this is a finding. This command: networksetup -listallnetworkservices will list the plain English names of all configured network interfaces on the computer.

Fix: F-56143r1_fix

Ensure that DoD proxies are configured on all active network interfaces listed from the command: networksetup -listallnetworkservices

Generate Mitigation Statement:

Checks: C-53693r1_chk

To check which the idle timeout setting for SSH sessions, run the following: grep ClientAliveInterval /etc/sshd_config If these setting is not "600", or commented out, this is a finding.

Fix: F-56145r1_fix

In order to make sure that the correct ClientAliveInterval is set correctly, run the following command: sudo sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/sshd_config

Generate Mitigation Statement:

Checks: C-53695r1_chk

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: grep ClientAliveCountMax /etc/sshd_config If the setting is commented out, or not "ClientAliveCountMax 0", this is a finding.

Fix: F-56151r1_fix

In order to make sure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config .

Generate Mitigation Statement:

Checks: C-53701r1_chk

To check if the video recording plugins are installed, run the following commands: sudo ls -l /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo ls -l /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo ls -l /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC If any of the files exist, this is a finding.

Fix: F-56161r1_fix

To remove video recording support, run the following commands: sudo rm -rf /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo rm -rf /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo rm -rf /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC These commands cannot be undone.

Generate Mitigation Statement:

Checks: C-53705r1_chk

To view a list of installed certificates, run the following command: sudo security -dump-keychain | grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.

Fix: F-56163r1_fix

Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from /Applications/Utilities to add certificates to the System keychain.

Generate Mitigation Statement:

Checks: C-53707r1_chk

To make sure the Xprotect Update service is running, run the following command: sudo launchctl list | grep com.apple.xprotectupdater If there is no result, this is a finding.

Fix: F-56167r1_fix

The Xprotect mechanism is installed and running by default. Make sure the launch daemon is correctly configured in /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist. If this file doesn't exist, you may need to obtain it from the original install media.

Generate Mitigation Statement:

Checks: C-53709r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56169r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Generate Mitigation Statement:

Checks: C-53713r1_chk

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

Fix: F-56173r2_fix

This should be configured with a configuration profile.

Generate Mitigation Statement:

Checks: C-53715r1_chk

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

Fix: F-56175r1_fix

This should be configured with a configuration profile.

Generate Mitigation Statement:

Checks: C-53717r1_chk

This command checks for log files that exist on the system and prints out the log with corresponding ownership.. stat -f "%Su:%Sg:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null If there are any log files that are not owned by root and group-owned by wheel or admin, this is a finding.

Fix: F-56177r1_fix

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [log file] where [log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53721r1_chk

This command checks for log files that exist on the system and prints out the log with corresponding permissions. stat -f "%A:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null The correct permissions should be "640" or less permissive. Any file with more permissive settings is a finding.

Fix: F-56183r1_fix

For any log file that returns an incorrect permission value, run the following command: chmod 640 [log file] where [log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53723r1_chk

This command checks for log files that exist on the system and prints out the list of ACLs if there are any. ls -le `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2&gt; /dev/null ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity" If any file contains this information, this is a finding.

Fix: F-56185r1_fix

For any log file that returns an ACL, run the following command: chmod -N [log file] where [log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53725r1_chk

Ask the SA or IAO if a host-based security system is loaded on the system. The recommended system is the McAfee HBSS. If there is no HBSS installed on the system, this is a finding.

Fix: F-56187r1_fix

If they system does not have the HBSS package installed, contact the HBSS administrator to obtain installer package for the software.

Generate Mitigation Statement:

Checks: C-53729r1_chk

To check the location of the audit log files, run the following command: sudo ls -ld `sudo grep "^dir" /etc/security/audit_control | sed 's/dir://'` The default location is /var/audit. If this is not defined or defined incorrectly, this is a finding.

Fix: F-56191r1_fix

Edit the /etc/security/audit_control file to define the directory for audit logs.

Generate Mitigation Statement:

Checks: C-53731r2_chk

The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document should read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-56193r1_fix

Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security

Generate Mitigation Statement:

Checks: C-53733r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56195r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Generate Mitigation Statement:

Checks: C-53735r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56197r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Generate Mitigation Statement:

Checks: C-53737r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

Fix: F-56199r1_fix

Install an approved HBSS or firewall solution onto the system.

Generate Mitigation Statement:

Checks: C-53739r1_chk

To check if screen sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.screensharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56201r1_fix

To disable screen sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.screensharing" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53741r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56203r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53743r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56205r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53745r1_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56207r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53747r1_chk

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, and configured with a default deny policy, this is a finding.

Fix: F-56209r1_fix

Install an approved HBSS or firewall solution onto the system.

Generate Mitigation Statement:

Checks: C-53749r1_chk

To check if Internet sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.InternetSharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56211r1_fix

To disable Internet Sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.InternetSharing" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53751r1_chk

To check if Web Sharing is enabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/org.apache.httpd.plist Disabled If the result is not "1", this is a finding.

Fix: F-56213r1_fix

To disable Web Sharing, run the following command: sudo defaults write /System/Library/LaunchDaemons/org/apache.httpd.plist Disabled -bool TRUE

Generate Mitigation Statement:

Checks: C-53755r1_chk

To check if the password policy is configured to disabled an account within 15 minutes of failed attempts, run the following command: sudo pwpolicy -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the result is not "minutesUntilFailedLoginReset=15", this is a finding. This is NA for machines bound to a directory server.

Fix: F-56217r1_fix

To set the password policy, run the following command: sudo pwpolicy setglobalpolicy "minutesUntilFailedLoginReset=15"

Generate Mitigation Statement:

Checks: C-53757r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56219r1_fix

To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53761r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep nt The network are logged by way of the "nt" flag. If "nt" is not listed in the result of the check, this is a finding.

Fix: F-56223r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,nt/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53763r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56225r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Generate Mitigation Statement:

Checks: C-53765r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56227r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Generate Mitigation Statement:

Checks: C-53767r1_chk

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

Fix: F-56229r1_fix

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Generate Mitigation Statement:

Checks: C-53769r1_chk

To check the permissions and ownership of the system files and make sure they haven't changed from the original installation, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

Fix: F-56231r1_fix

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

Generate Mitigation Statement:

Checks: C-53771r1_chk

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

Fix: F-56233r1_fix

This can be enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53773r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

Fix: F-56235r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53777r1_chk

To check if the Wi-Fi software components are present on the system, run the following command: sudo ls -d /System/Library/Extensions/IO80211Family.kext If there is a result showing the file is present, this is a finding.

Fix: F-56239r1_fix

To remove the software component for Wi-Fi support, run the following command: sudo rm -rf /System/Library/Extensions/IO80211Family.kext

Generate Mitigation Statement:

Checks: C-53779r2_chk

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep aa The authentication events are logged via the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.

Fix: F-56241r1_fix

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53785r1_chk

To check if this setting is disabled run the following command as the primary user: defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled If the return value is "1", this is a finding.

Fix: F-56247r1_fix

This control needs to be manually changed on the computer by opening System Preferences->Bluetooth, Click Advanced, and make sure the "Allow Bluetooth devices to wake this computer" is not checked.

Generate Mitigation Statement:

Checks: C-53787r1_chk

To check if Bluetooth Sharing is enabled, Open up System Preferences-&gt;Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding.

Fix: F-56249r1_fix

To disable Bluetooth Sharing, open System Preferences->Sharing and uncheck the box next to Bluetooth Sharing.

Generate Mitigation Statement:

Checks: C-53791r1_chk

Run the following command to ensure the audit tool, praudit, has the correct signed hash value: sudo codesign -dvvv /usr/sbin/praudit 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "7972f0ead62fd6610d4453f842f9e22b5dc14732". If it differs, this is a finding.

Fix: F-56253r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Generate Mitigation Statement:

Checks: C-53793r1_chk

To check if the input menu is available at the login window, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow showInputMenu If the setting is not "0", this is a finding.

Fix: F-56255r1_fix

To disable the input menu at the login window, run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool FALSE

Generate Mitigation Statement:

Checks: C-53795r1_chk

Run the following command to ensure the audit tool, auditreduce has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditreduce 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "3b7644bca759043242925af1e6c1c4f4f7dadbae". If it differs, this is a finding.

Fix: F-56257r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Generate Mitigation Statement:

Checks: C-53797r1_chk

Run the following command to ensure the audit tool, audit has the correct signed hash value: sudo codesign -dvvv /usr/sbin/audit 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "e23e7f63cdef9c1844390a3c8f32122b671b68d3". If it differs, this is a finding.

Fix: F-56259r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Generate Mitigation Statement:

Checks: C-53799r2_chk

To see if SSH is configured to display the last login information, run the following command: grep ^PrintLastLog /etc/sshd_config | awk '{ print $2 }' If there is no result returned, or is "no", this is a finding.

Fix: F-56261r1_fix

To set the SSH server to print the last login information, run the following command: sudo sed -i.bak 's/.*PrintLastLog.*/PrintLastLog yes/' /etc/sshd_config

Generate Mitigation Statement:

Checks: C-53801r1_chk

Run the following command to ensure the audit tool, auditd has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditd 2&gt;&amp;1 | grep CDHash | sed 's/CDHash=//' The result should be "abad487143d9bb99e06d945f69f8fab6e49460f1". If it differs, this is a finding.

Fix: F-56263r1_fix

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Generate Mitigation Statement:

Checks: C-53805r1_chk

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account [which provides no individual identification and accountability] is mitigated.

Fix: F-56265r1_fix

Remove, disable, or document with the IAO all shared accounts.

Generate Mitigation Statement:

Checks: C-53803r1_chk

To check if the system has the correct setting in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "askForPassword" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56267r1_fix

To enforce this setting, it must be configured using a configuration profile.

Generate Mitigation Statement:

Checks: C-53807r1_chk

To check if the status of the System Preference Pane authorization requirements, run the following command: sudo security authorizationdb read system.preferences | grep -A1 shared If the results display "true" this is a finding.

Fix: F-56269r1_fix

To set the system to require a password to unlock every System Preference Pane, open System Preferences->Security & Privacy->Advanced, and make sure the box is checked to "Require an administrator password to access locked preferences".

Generate Mitigation Statement:

Checks: C-53811r1_chk

To check if the system if configured to automatically log in, run the following command: system_profiler SPConfigurationProfileDataType | grep DisableAutoLoginClient | awk '{ print $3 }' | sed 's/;//' If the result is not "1", this is a finding.

Fix: F-56273r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53813r1_chk

To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: system_profiler SPConfigurationProfileDataType | grep idleTime | awk '{ print $3 }' | sed 's/;//' The check should return a value of "900" or less, if not, this is a finding.

Fix: F-56275r1_fix

This setting is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53815r2_chk

To check if any of the hot corners are configured to disable the screen saver run the following command for the logged in user: system_profiler SPConfigurationProfileDataType | grep wvous There should be 4 results (wvous-bl-corner, wvous-br-corner, wvous-tl-corner, wvous-tr-corner). If any of them are not defined to be "1", this is a finding.

Fix: F-56277r2_fix

Open up System Preferences->Desktop&Screen Saver, and open Hot Corners. Make sure none of the corners are defined to "Disable Screen Saver". This can be enforced using a configuration profile or managed preferences.

Generate Mitigation Statement:

Checks: C-53819r1_chk

To check to make sure the audit daemon is configured to log all login events, both local and remote, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep lo The flag "lo" should be included in the list of flags set. If it is not, this is a finding.

Fix: F-56281r3_fix

To edit the configuration of the audit daemon flags, open the /etc/security/audit_control file and make sure "lo" is listed in the "flags:" parameter. To programmatically do this, run the following command: sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; sudo audit -s

Generate Mitigation Statement:

Checks: C-53825r1_chk

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Fix: F-56285r1_fix

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo reboot

Generate Mitigation Statement:

Checks: C-53827r1_chk

To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.cd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56287r1_fix

This setting must be configured using a configuration profile.

Generate Mitigation Statement:

Checks: C-53829r2_chk

To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.dvd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Fix: F-56289r1_fix

This setting must be configured using a configuration profile.

Generate Mitigation Statement:

Checks: C-53831r2_chk

To check if the system has the correct setting for music CDs open up System Preferences, CDs &amp; DVDs. The setting for "When you insert a music CD" should be set to "Ignore", if it is not, this is a finding.

Fix: F-56291r1_fix

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a music CD" to "Ignore".

Generate Mitigation Statement:

Checks: C-53835r2_chk

To check if the system has the correct setting for picture CDs open up System Preferences, CDs &amp; DVDs. The setting for "When you insert a video DVD" should be set to "Ignore", if it is not, this is a finding.

Fix: F-56295r1_fix

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a video DVD" to "Ignore".

Generate Mitigation Statement:

Checks: C-53837r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56297r1_fix

Edit the /etc/security/audit_control file, and change the value for "minfree" to the percentage of free space you require to keep available for the system. You can use the following command to set the "minfree" value to "10%": sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control

Generate Mitigation Statement:

Checks: C-53839r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep expire-after /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56299r1_fix

To set the auditing daemon to expire logs after "10 GB" of space in the audit_control configuration file, run the following command: sudo sed -i.bak 's/.*expire-after.*/expire-after:10G/' /etc/security/audit_control; sudo audit -s

Generate Mitigation Statement:

Checks: C-53841r1_chk

The check with display the settings for the audit control system. To view the setting, run the following command: sudo grep policy /etc/security/audit_control | grep ahlt If there is no result, this is a finding.

Fix: F-56301r1_fix

Edit the /etc/security/audit_control file, and change the value for policy to include the setting "ahlt".

Generate Mitigation Statement:

Checks: C-53843r1_chk

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

Fix: F-56303r1_fix

To set the value for "minfree" in the "audit_control" configuration file, run the following command: sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control; sudo audit -s

Generate Mitigation Statement:

Checks: C-53845r2_chk

To verify that the system log is writing audit failure or warnings run the following command: sudo grep logger /etc/security/audit_warn If this does not return: logger -p security.warning "audit warning: $@" this is a finding.

Fix: F-56305r1_fix

Edit the /etc/security/audit_warn file to include the line: logger -p security.warning "audit warning: $@"

Generate Mitigation Statement:

Checks: C-53847r1_chk

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

Fix: F-56311r1_fix

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Generate Mitigation Statement:

Checks: C-53849r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56315r1_fix

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53851r2_chk

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56317r1_fix

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53853r1_chk

If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u &lt;username&gt; get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

Fix: F-56319r1_fix

To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

Generate Mitigation Statement:

Checks: C-53855r1_chk

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2" this is a finding.

Fix: F-56323r1_fix

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

Generate Mitigation Statement:

Checks: C-53859r1_chk

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2", this is a finding.

Fix: F-56329r1_fix

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

Generate Mitigation Statement:

Checks: C-53861r1_chk

To check if the root user has been enabled, run the following command: sudo dscl . -read /Users/root AuthenticationAuthority If the result does not return "No such key: AuthenticationAuthority", this is a finding.

Fix: F-56331r1_fix

To disable the root user account, run the following command: sudo dsenableroot -d

Generate Mitigation Statement:

Checks: C-53863r1_chk

To check if SSH has root logins enabled, run the following command: sudo grep ^PermitRootLogin /etc/sshd_config | awk '{ print $2 }' If there is no result, or the result is set to "yes", this is a finding.

Fix: F-56335r1_fix

In order to make sure that PermitRootLogin is disabled by the sshd, run the following command: sudo sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/sshd_config

Generate Mitigation Statement:

Checks: C-53865r2_chk

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

Fix: F-56337r1_fix

This can be enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53867r1_chk

To check to make sure only applications downloaded from the App Store are allowed to run, type the following code: system_profiler SPConfigurationProfileDataType | grep AllowIdentifiedDevelopers | awk '{ print $3 }' | sed 's/;//' If the returned value is not "0", this is a finding.

Fix: F-56339r1_fix

This can be enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53869r1_chk

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

Fix: F-56341r1_fix

A configuration profile should exist to restrict launching of applications.

Generate Mitigation Statement:

Checks: C-53877r2_chk

To check if UUCP is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.uucp:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56351r1_fix

To disable UUCP, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.uucp" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53879r1_chk

To check if multicast advertisements have been disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | grep NoMulticastAdvertisements If nothing is returned, this is a finding.

Fix: F-56353r1_fix

To configure Bonjour to disable multicast advertising, run the following command: sudo /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Generate Mitigation Statement:

Checks: C-53881r1_chk

The setting is found in System Preferences-&gt;Security &amp; Privacy-&gt;Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableLocationServices | awk '{ print $3 }' | sed 's/;//' If the result is not "1" this is a finding.

Fix: F-56355r1_fix

The setting is found in System Preferences->Security & Privacy->Location Services. Uncheck the box that says "Enable Location Services". This setting can be enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53883r2_chk

To check if Find My Mac messenger is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacmessenger:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56357r1_fix

To disable Find My Mac messenger, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacmessenger" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53885r1_chk

To check if Find My Mac is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56359r1_fix

To disable Find My Mac, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53887r1_chk

The setting is found in System Preferences-&gt;Security &amp; Privacy-&gt;Diagnostics &amp; Usage. If the box that says "Send diagnostic &amp; usage data to Apple" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep AutoSubmit | awk '{ print $3 }' | sed 's/;//' If the result is not "AutoSubmit = 0;" this is a finding.

Fix: F-56361r1_fix

The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage Uncheck the box that says "Send diagnostic & usage data to Apple. This setting can be enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53889r1_chk

To check if Remote Apple Events is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AEServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56363r1_fix

To disable Remote Apple Events, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AEServer" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53891r1_chk

To check for the existence of the iCloud preference panel, run the following command: ls -ald /System/Library/PreferencePanes/iCloudPref.prefPane If anything is returned, this is a finding.

Fix: F-56367r1_fix

To remove the iCloud preference pane run the following command: sudo rm -Rf /System/Library/PreferencePanes/iCloudPref.prefPane

Generate Mitigation Statement:

Checks: C-53899r1_chk

To check for the existence of App Store, run the following command: ls -ald /Applications/App\ Store.app If anything is returned, this is a finding.

Fix: F-56377r1_fix

To remove App Store, run the following command: sudo rm -Rf /Applications/App\ Store.app

Generate Mitigation Statement:

Checks: C-53903r1_chk

To check for the existence of Messages, run the following command: ls -ald /Applications/Messages.app If anything is returned, this is a finding.

Fix: F-56383r1_fix

To remove Messages, run the following command: sudo rm -Rf /Applications/Messages.app

Generate Mitigation Statement:

Checks: C-53925r1_chk

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

Fix: F-56405r1_fix

A configuration profile should exist to restrict launching of applications.

Generate Mitigation Statement:

Checks: C-53927r2_chk

To check if racoon is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.racoon:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56407r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.racoon" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53929r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.statd.notify:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56409r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.statd.notify" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53931r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.lockd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56419r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.lockd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53937r1_chk

To display the server used to synchronize time with, run the following command: systemsetup -getnetworktimeserver If the incorrect organizationally-defined server is listed, this is a finding.

Fix: F-56423r1_fix

To define the server to use for time synchronization, run the following command: sudo systemsetup -setnetworktimeserver <IP or FQDN> where <IP or FQDN> is the IP address or fully qualified domain name of the time server to use.

Generate Mitigation Statement:

Checks: C-53939r1_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

Fix: F-56427r1_fix

For any log file that returns an incorrect permission value, run the following command: chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53941r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 $4 ":" $9 }' The results should read "0:0" in the first column. The first 0 is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

Fix: F-56429r2_fix

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53935r2_chk

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.nfsd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56425r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.nfsd" -dict Disabled -bool true

Generate Mitigation Statement:

Checks: C-53943r2_chk

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.

Fix: F-56433r1_fix

For any log file that returns an ACL, run the following command: sudo chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53945r2_chk

To check if file sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AppleFileServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Fix: F-56435r1_fix

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AppleFileServer" '{ "Disabled" = 1; }'

Generate Mitigation Statement:

Checks: C-53947r1_chk

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions to be "440" or less permissive. If not, this is a finding.

Fix: F-56437r1_fix

For any log file that returns an incorrect permission value, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53949r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56439r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Generate Mitigation Statement:

Checks: C-53951r1_chk

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s ls -l `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should be owned by root:wheel. If not, this is a finding.

Fix: F-56441r1_fix

For any log file that returns an incorrect permission value, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53953r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory, with the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

Fix: F-56443r1_fix

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

Generate Mitigation Statement:

Checks: C-53955r1_chk

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Fix: F-56445r1_fix

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Generate Mitigation Statement:

Checks: C-53957r1_chk

To check the permissions of the audit log files, run the following command: stat -f "%A:%N" `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

Fix: F-56447r1_fix

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 /var/audit

Generate Mitigation Statement:

Checks: C-53959r1_chk

To check for ACLs of the audit log folder run the following command: ls -le `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/"}'` | grep -v current The audit log folder listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If the folder contains this information, this is a finding.

Fix: F-56449r1_fix

If the log folder has an ACL, run the following command: chmod -N [audit log folder] where [audit log folder] is the full path to the log folder in question.

Generate Mitigation Statement:

Checks: C-53961r2_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

Fix: F-56451r1_fix

For every log file that returns incorrect permissions, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

Generate Mitigation Statement:

Checks: C-53965r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 ":" $4 ":" $9 }' The results should read "0:0" in the first column. The first "0" is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

Fix: F-56457r1_fix

For every log file that is not owned by root, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

Generate Mitigation Statement:

Checks: C-53967r1_chk

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory. With the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

Fix: F-56461r1_fix

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

Generate Mitigation Statement:

Checks: C-53969r1_chk

To check if Password hints are turn on, run the following command: system_profiler SPConfigurationProfileDataType | grep RetriesUntilHint | awk '{ print $3 }' | sed 's/;//' If the result is not "0" or not defined, this is a finding.

Fix: F-56463r1_fix

This is enforced using a configuration profile.

Generate Mitigation Statement:

Checks: C-53971r1_chk

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

Fix: F-56465r1_fix

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`

Generate Mitigation Statement:

Checks: C-53973r3_chk

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any file contains this information, this is a finding.

Fix: F-56467r1_fix

For any log file that returns an ACL, run the following command: chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

Generate Mitigation Statement:

Checks: C-53975r1_chk