MAC OSX 10.5 Security Technical Implementation Guide

U_Mac_10.5_V1R2_STIG_Manual-XCCDF.xml

MAC OSX 10.5 Security Technical Implementation Guide
Details

Version / Release: V1R2

Published: 2011-07-29

Updated At: 2018-09-23 04:05:08

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-31233r1_rule OSX00015 MEDIUM OSX00015-Create administrator accounts with difficult-to-guess names The administrator account has unlimited privileges to the system. Creating a complex name improves the protection of this account and the system. When creating an administrator account, do not use administrator, do not use the name of the machine, etc.System AdministratorIAIA-1, IAIA-2
    SV-31239r1_rule OSX00020 MEDIUM OSX00020-Maximum password age The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system. System AdministratorIAIA-1, IAIA-2
    SV-31267r1_rule OSX00025 MEDIUM OSX00025-Minimum password age Permitting passwords to be changed in immediate succession within the same day, allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes. System AdministratorIAIA-1, IAIA-2
    SV-31272r1_rule OSX00030 MEDIUM OSX00030-Minimum password length Information systems not protected with strong password schemes, including passwords of minimum length, provide the opportunity for anyone to crack the password, thus, gaining access to the system and causing the device, information, or the local network to be compromised or lead to a denial of service.System AdministratorIAIA-1, IAIA-2
    SV-31279r1_rule OSX00035 MEDIUM OSX00035-Create complex passwords for user accounts Configure the local system to verify that newly-created passwords conform to DoD password complexity policy. Passwords must contain 1 character from the following 4 classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Sites are responsible for installing password complexity software that complies with current DoD requirements. System AdministratorIAIA-1
    SV-31281r1_rule OSX00040 MEDIUM OSX00040-Check newly-created password content for account or user name Configure the local system to verify that newly-created passwords do not contain user's account name or parts of the user's full name that exceed two consecutive characters. System AdministratorIAIA-1, IAIA-2
    SV-31284r1_rule OSX00045 MEDIUM OSX00045-Account lockout duration The amount of time that a user's account is locked after multiple failed login attempts.System AdministratorECLO-1, ECLO-2
    SV-31288r1_rule OSX00050 MEDIUM OSX00050-Account lockout threshold The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts should be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during a normal user logon. System AdministratorECLO-1, ECLO-2
    SV-31297r1_rule OSX00055 MEDIUM OSX00055-Application software updates Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered. It is essential that these updates be applied in a timely manner to prevent unauthorized persons from exploiting identified vulnerabilities. Unsupported software should be updated or removed.If any of the patches not installed are ‘Critical’, then this should be elevated to a Category 1System AdministratorVIVM-1
    SV-31299r1_rule OSX00060 MEDIUM OSX00060-Disable Wi-Fi Support Software Many organizations restrict the use of wireless technology in their network environment. However, most Mac computers have wireless capability built in, and simply turning it off may not meet your organization’s wireless technology restrictions. You might need to remove components from Mac OS X to disable them from being turned on in System Preferences. Although wireless technology gives your network more flexibility with your users, it can cause security vulnerabilities you may be unaware of. It is recommended that wherever possible, wireless access be disabled for security reasons. Important: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
    SV-31301r1_rule OSX00065 MEDIUM OSX00065-Disable Bluetooth Support Software Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as denial of service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. Remove Bluetooth support for peripherals such as keyboards, mice, or phones. This task requires you to have administrator privileges. Important: Repeat these instructions every time a system update is installed. Support should be removed at the kext file level.System AdministratorECSC-1
    SV-31303r1_rule OSX00070 MEDIUM OSX00070-Disable Audio Recording Support Software Your computer might be in an environment where recording devices such as cameras or microphones are not permitted. You can protect your organization’s privacy by disabling these devices. Remove support for the microphone and audio subsystem. This may disable audio playback. Important: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
    SV-31305r1_rule OSX00075 MEDIUM OSX00075-Disable Video Recording Support Software Your computer might be in an environment where recording devices such as cameras or microphones are not permitted. You can protect your organization’s privacy by disabling these devices. Remove support for an external or built-in iSight camera. Note: The support for external iSight cameras should be removed on all machines. Removing only support for internal iSight cameras would still leave support for external cameras available. You can also have an Apple Authorized Technician remove the built-in video camera hardware from your Apple computer. Important: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
    SV-31311r1_rule OSX00090 MEDIUM OSX00090-Remove Infrared (IR) Support To prevents unauthorized users from controlling your computer through the infrared receiver. Remove IR hardware support. This task requires you to have administrator privileges. You can also have an Apple Authorized Technician remove IR hardware from your Apple computer. Important: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
    SV-31313r1_rule OSX00095 HIGH OSX00095-Require an Open Firmware or EFI password PowerPC-based computers use Open Firmware to control hardware. This is similar to the BIOS on an x86 PC. Open Firmware is the hardware base layer for Mac OS X and is a possible point of intrusion. By protecting it from unauthorized access, you can prevent attackers from gaining access to your computer. System AdministratorECSC-1
    SV-31315r1_rule OSX00100 MEDIUM OSX00100-Create an access warning for the login window Configure the system to display a logon banner that meets the DoD standards for a valid legal notice to users. You can use a login window or Terminal access warning to provide notice of a computer’s ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring. ECWM-1
    SV-31317r1_rule OSX00105 MEDIUM OSX00105-Create an access warning for the command line Configure the system to display a warning banner that meets the DoD standards with a valid legal notice to users. Terminal access warnings provide notice of a computer’s ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring. System AdministratorECWM-1
    SV-31319r1_rule OSX00110 HIGH OSX00110-Restrict sudo usage to access sudo commands in a single terminal, and for only one sudo instance at a time Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. These limit the use of the sudo command to a single command per authentication and also ensure that, even if a timeout is activated, that later sudo commands are limited to the terminal in which authentication occurred. Note: Admin privilege may be needed to perform some commands.System AdministratorECSC-1
    SV-31323r1_rule OSX00115 MEDIUM OSX00115-Securely configure LDAPv3 access (if it is used) When configuring LDAPv3, do not add DHCP-supplied LDAP servers to automatic search policies if you cannot secure the network the computer is running on. If you do, someone can create a rogue DHCP. System AdministratorECCT-1, ECCT-2
    SV-31325r1_rule OSX00120 MEDIUM OSX00120-LDAP Authentication, Use authentication when connecting to LDAPv3. When configuring LDAPv3 for LDAP authentication, do not add DHCP-supplied LDAP servers to automatic search policies if you cannot secure the network the computer is running on. If you do, someone can create a rogue DHCP. Use authentication when connecting to LDAPv3 directories and disable clear text passwords for all LDAPv3 directories. Digitally sign all LDAPv3 packets (requires Kerberos). Encrypt all LDAPv3 packets (requires SSL or Kerberos). Block man-in-the-middle attacks (requires Kerberos). System AdministratorDCNR-1, ECCT-1, ECCT-2
    SV-31327r1_rule OSX00125 HIGH OSX00125-Securely configure Active Directory Access The “Allow administration by” setting should not be used in sensitive environments. It can cause unintended privilege escalation issues because any member of the group specified will have administrator privileges on your computer. System AdministratorDCNR-1, ECCT-1, ECCT-2
    SV-31331r1_rule OSX00135 MEDIUM OSX00135-Assign POSIX access permissions based on user categories. Changing permissions on a user's home directory from 750 to 700 will disable Apple file sharing. User's home directory POSIX permissions should be set to 700. System AdministratorECSC-1
    SV-31333r1_rule OSX00140 MEDIUM OSX00140-Enable security auditing Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and the methods used for successful and failed access attempts.System AdministratorECAR-1, ECAR-2, ECAR-3
    SV-31335r3_rule OSX00145 MEDIUM OSX00145-Configure security auditing Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions and analyze compromises that have occurred as well as detect an attack that has begun or is about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Without an audit trail that provides information as to event that occurred and if it was successful or unsuccessful, it is difficult to analyze a series of events to determine the steps used by an attacker to compromise a system or network, or what exactly happened that led to a denial of service. Collecting data such as the successful and unsuccessful events is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. System AdministratorECAR-1, ECAR-2, ECAR-3
    SV-31337r1_rule OSX00150 MEDIUM OSX00150-Enable local logging The default configuration in /etc/newsyslog.conf file is configured for local logging in the /var/log folder. The computer is set to rotate log files using the periodic launchd job according to time intervals specified in the /etc/newsyslog.conf file. System AdministratorECAR-1, ECAR-2, ECAR-3
    SV-31339r1_rule OSX00155 MEDIUM OSX00155-Enable remote logging In addition to local logging, consider using remote logging. Local logs can be altered if the computer is compromised. System AdministratorECAR-1, ECAR-2, ECAR-3
    SV-31341r1_rule OSX00160 HIGH OSX00160-Install an antivirus tool Installing antivirus tools helps prevent infection of your computer by viruses and helps prevent your computer from becoming a host used to spread viruses to other computers. These tools quickly identify suspicious content and compare them to known malicious content. See the https://www.cybercom.mil website for approved AV tools. System AdministratorECVP-1
    SV-31343r1_rule OSX00165 MEDIUM OSX00165-Securely configure /etc/sshd_config - Prevent root login Prevent logging in as root through SSH. This should be set for all SSH methods of authenticating. System AdministratorCOBR-1, ECPA-1
    SV-31345r1_rule OSX00170 LOW OSX00170-Securely configure /etc/sshd_config - Login Grace Time Reduces the time allowed to authenticate to 30 seconds. System AdministratorECSC-1
    SV-31347r1_rule OSX00175 MEDIUM OSX00175-Securely configure /etc/sshd_config - Protocol version Restrict OpenSSH so it uses only SSH Protocol 2. This should be set for all SSH methods of authenticating. System AdministratorECSC-1
    SV-31349r1_rule OSX00180 HIGH OSX00180-Securely configure /etc/sshd_config - Empty passwords Denies access to accounts without passwords. This should be set for all SSH methods of authenticating. System AdministratorECSC-1
    SV-31351r1_rule OSX00185 MEDIUM OSX00185-Change Global umask The default umask setting of 022 (in octal) removes group and other write permissions. Group members and other users can read and run these files or folders. Changing the umask setting to 027 enables group members to read files and folders and prevents others from accessing the files and folders. System AdministratorECCD-1, ECCD-2
    SV-31353r1_rule OSX00190 MEDIUM OSX00190-Remove the MobileMe preference pane from System Preferences Remove the MobileMe preference pane from System Preferences-MobileMe is a suite of Internet tools that help you synchronize data and other important information when you’re away from the computer. In sensitive environments don’t use MobileMe. If you must store critical data, only store it on your local computer. You should only transfer data over a secure network connection to a secure internal server. If you use MobileMe, enable it only for user accounts that don’t have access to critical data. It is not recommended that you enable MobileMe for administrator or root user accounts. System AdministratorECSC-1
    SV-31355r1_rule OSX00195 MEDIUM OSX00195-Software Update Server URL is restricted to authorized DoD server Your computer can look for software updates on an internal software update server. By using an internal software update server, you reduce the amount of data transferred outside of the network. Your organization can control which updates can be installed on your computer.System AdministratorVIVM-1
    SV-31357r1_rule OSX00200 MEDIUM OSX00200-Disable ability for administrative accounts to unlock Screen Saver The default setting creates a possible point of attack, because the more users you have in the admin group the more you depend on those users to protect their user names and passwords. By changing the rule in system.login.screensaver to authenticatesession-owner, users of the admin group cannot unlock the screen saver. System AdministratorECPA-1, PESL-1
    SV-31359r1_rule OSX00205 MEDIUM OSX00205-Remove the setuid bit from the System Preferences.app file. Remove setuid bit from Install Assistant, because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges. There is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program.System AdministratorECCD-1, ECCD-2
    SV-31361r1_rule OSX00210 MEDIUM OSX00210-Remove setuid bit from ODBC Admin tool. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program.System AdministratorECCD-1, ECCD-2
    SV-31363r1_rule OSX00215 MEDIUM OSX00215-Remove setuid bit from Apple Remote Desktop Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31365r1_rule OSX00220 MEDIUM OSX00220-Remove setuid bit from WebDAV Web Services Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31367r1_rule OSX00225 MEDIUM OSX00225-Remove setuid bit from Apple File Protocol. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31369r1_rule OSX00230 MEDIUM OSX00230-Remove setuid bit from Apple File Protocol Sharing Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31371r1_rule OSX00235 MEDIUM OSX00235-Remove setuid bit from dumpemacs Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31373r1_rule OSX00240 MEDIUM OSX00240-Remove setuid bit from XGrid Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31375r1_rule OSX00245 MEDIUM OSX00245-Remove setuid bit from Hosting VPN Services Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31377r1_rule OSX00250 MEDIUM OSX00250-Remove setuid bit from Network Configuration Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31379r1_rule OSX00255 MEDIUM OSX00255-Remove setuid bit from IPC Statistics Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31381r1_rule OSX00260 MEDIUM OSX00260-Remove setuid bit from Remote Access (unsecure) Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31383r1_rule OSX00265 MEDIUM OSX00265-Remove setuid bit from Remote Access (unsecure rlogin) Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31385r1_rule OSX00270 MEDIUM OSX00270-Remove setuid bit from Remote Access (rsh unsecure) Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31387r1_rule OSX00275 MEDIUM OSX00275-Remove setuid bit from System Activity Reporting Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
    SV-31389r1_rule OSX00280 LOW OSX00280-Set the correct date and time Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. System AdministratorECSC-1
    SV-31391r1_rule OSX00285 LOW OSX00285-Set a secure time server Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. You can use Date & Time preferences to set the date and time based on a Network Time Protocol (NTP) server. If you require automatic date and time, use a trusted, internal NTP server. System AdministratorECSC-1
    SV-31393r1_rule OSX00290 MEDIUM OSX00290-Disable Auto Update feature You should install and verify updates on a test computer before installing them on your operational computer. When you install a software update using Software Update or an installer package, you must authenticate with an administrator’s name and password. This reduces the chance of accidental or malicious installation of software updates.System AdministratorECSC-1
    SV-31395r1_rule OSX00295 MEDIUM OSX00295-Disable Guest Account login The guest account is used to give a user temporary access to your computer. The guest account should be disabled by default because it does not require a password to log in on the computer. If this account is enabled and not securely configured, malicious users can gain access to your computer without the use of a password. System AdministratorIAAC-1
    SV-31397r1_rule OSX00300 MEDIUM OSX00300-Do not allow guests to connect to shared folders Whether or not the guest account itself is enabled, disable guest account access to shared files and folders by deselecting the “Allow guest to connect to shared folders” checkbox. If you permit the guest account to access shared folders, an attacker can easily attempt to access shared folders without a password.System AdministratorECAN-1, ECSC-1
    SV-31401r1_rule OSX00310 MEDIUM OSX00310-Configure Login Window to display as entry for name and password. If not properly configured, the logon screen provides a list of local usernames available for logon. A user could use this information to attempt to login as a different user. System AdministratorECSC-1
    SV-31403r1_rule OSX00315 LOW OSX00315-Do not show the Restart, Sleep, and Shutdown buttons By disabling this button, the user cannot restart the computer without pressing the power key or logging in. System AdministratorECSC-1
    SV-31405r1_rule OSX00320 HIGH OSX00320-Do not show Input menu in login window Showing input menu in the login window could compromise the integrity of the information, and could also allow someone shoulder surfing to gain unauthorized access to the system.System AdministratorIAAC-1
    SV-31407r1_rule OSX00325 HIGH OSX00325-Do not show password hints Providing information in the password hint field could compromise the integrity of the password. Showing password hint could allow someone shoulder surfing to gain information that could lead to unauthorized access to the system. System AdministratorIAAC-1
    SV-31409r1_rule OSX00330 MEDIUM OSX00330-Disable Fast User Switching Fast User Switching allows multiple users to log in simultaneously. This makes it difficult to track user actions and allows users to run malicious applications in the background while another user is using the computer.System AdministratorIAAC-1
    SV-31411r1_rule OSX00335 HIGH OSX00335-Do not use password-related hint field If a hint is provided, the user is presented with the hint after three failed authentication attempts. Password-related information provided in the field could compromise the integrity of the password. Adding contact information for your organization’s technical support is convenient and doesn’t compromise password integrity.System AdministratorIAAC-1
    SV-31413r1_rule OSX00340 HIGH OSX00340-Do not allow computer to perform automatic actions for blank CD To secure CDs and DVDs (blank), do not allow the computer to perform automatic actions when the user inserts a disc. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer.System AdministratorECSC-1
    SV-31415r1_rule OSX00345 HIGH OSX00345-Do not allow computer to perform automatic actions for music CD To secure CDs and DVDs (music), do not allow the computer to perform automatic actions when the user inserts a disc. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer. System AdministratorECSC-1
    SV-31417r1_rule OSX00350 HIGH OSX00350-Do not allow computer to perform automatic actions for picture CD. To secure CDs and DVDs (pictures), do not allow the computer to perform automatic actions when the user inserts a disc. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer.System AdministratorECSC-1
    SV-31419r1_rule OSX00355 HIGH OSX00355-Do not allow computer to perform automatic actions for video DVD To secure CDs and DVDs (video), do not allow the computer to perform automatic actions when the user inserts a disc. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer. System AdministratorECSC-1
    SV-31421r1_rule OSX00360 MEDIUM OSX00360-System must have a password-protected Screen Saver configured to DoD requirements. You need to configure a password-protected screen saver to prevent unauthorized users from accessing unattended computers. You should also set a short inactivity interval to decrease the amount of time the unattended computer is unlocked. This check has two steps, the first step is to turn on the screen saver option and set it to 15 minutes or less, the second step is to require a password to unlock the screen saver.System AdministratorPESL-1
    SV-31425r1_rule OSX00370 MEDIUM OSX00370-Do not allow computer to restart after a power failure. You can also use the Options pane to make settings depending on your power supply (power adapter, UPS, or battery). Don’t set the computer to restart after a power failure. System AdministratorECSC-1
    SV-31429r1_rule OSX00375 MEDIUM OSX00375-Do not allow computer to use corners to disable the screen saver. Your computer should require authentication when waking from sleep or screen saver. You can configure Exposé & Spaces preferences to allow you to quickly start the screen saver if you move your mouse cursor to a corner of the screen. Don’t configure a corner to disable the screen saver.System AdministratorPESL-1
    SV-31431r1_rule OSX00380 MEDIUM OSX00380-Do not allow Bluetooth devices to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to wake the computer. System AdministratorECSC-1
    SV-31434r1_rule OSX00385 MEDIUM OSX00385-Disable unused hardware devices for Airport It is recommended that you disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer. System AdministratorECSC-1
    SV-31436r1_rule OSX00390 MEDIUM OSX00390-Disable unused hardware devices for Bluetooth It is recommend that you disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer. System AdministratorECSC-1
    SV-31439r1_rule OSX00395 MEDIUM OSX00395-Disable unused hardware devices for Firewire It is recommend that you disable unused hardware devices listed in Network preferences. Enabled, unused devices (Firewire) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer. System AdministratorECSC-1
    SV-31441r1_rule OSX00400 MEDIUM OSX00400-Disable IPv6, if not being used. It is recommended that you disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer. Note: this must be disabled on each network interface.System AdministratorECSC-1
    SV-31443r1_rule OSX00405 MEDIUM OSX00405- Disable Auto play of movies. Allowing movies to play automatically will not allow the user to first perform an anti-virus scan of the files to detect malware or unauthorized code. System AdministratorECSC-1
    SV-31445r1_rule OSX00410 MEDIUM OSX00410-Disable disk cache of movies Only download QuickTime movies from trusted, secure sources. By default, QuickTime stores downloaded movies in a cache. If someone gains access to your account, he/she can see your previously viewed movies, even if you did not save them as files. You can change QuickTime preferences to disable the storing of movies in a cache (in /Users/user name/Library/Caches/QuickTime/downloads/). System AdministratorDCSL-1
    SV-31447r1_rule OSX00415 MEDIUM OSX00415-Securely configure QuickTime Advanced preferences Securely configure QuickTime Advanced preferences, Load Flash and ensure if option is given under Advanced tab, confirm value to be checked (i.e., "Kiosk Mode" or "Kiosk Mode: Hides option to save movies & to change settings from within the web browser"). System AdministratorDCSL-1
    SV-31449r1_rule OSX00420 MEDIUM OSX00420-Require password to wake this computer from sleep or screen saver. Require a password to wake this computer from sleep or screen saver. This helps prevent unauthorized access on unattended computers. Although there is a lock button for Security references, users don’t need to be authorized as an administrator to make changes. Enable this password requirement for every user account on the computer.System AdministratorPESL-1
    SV-31451r1_rule OSX00425 HIGH OSX00425-Disable automatic login Disabling automatic login is necessary for any level of security. If you enable automatic login, an intruder can log in without authenticating. Even if you automatically log in with a restricted user account, it is still easier to perform malicious actions on the computer. System AdministratorIAAC-1
    SV-31453r1_rule OSX00430 MEDIUM OSX00430-Require a password to unlock each System Preference Pane Some system preferences are unlocked when you log in with an administrator account. By requiring a password, digital token, smart card, or biometric reader to unlock secure system preferences, you require extra authentication. System AdministratorECSC-1
    SV-31455r1_rule OSX00435 LOW OSX00435-Disable Logout after X minutes of activity Although you might want to enable automatic logout based on inactivity, there are reasons why you should disable this feature. First, it can disrupt your workflow. Second, it can close applications or processes without your approval (but a password-protected screen saver will not close applications). Third, because automatic logout can be interrupted, it provides a false sense of security. System AdministratorECSC-1
    SV-31457r1_rule OSX00440 MEDIUM OSX00440-Use secure virtual memory Use secure virtual memory. The system’s virtual memory swap file stores inactive physical memory contents, freeing your physical memory. By default on some systems, the swap file is unencrypted. This file can contain confidential data such as documents and passwords. By using secure virtual memory, you secure the swap file at a cost of slightly slower speed (because Mac OS X must encrypt and decrypt the secure swap file). System AdministratorECRC-1
    SV-31459r1_rule OSX00445 MEDIUM OSX00445-Disable remote control infrared receiver. If you are not using a remote control, disable the infrared receiver. This prevents unauthorized users from controlling your computer through the infrared receiver. System AdministratorECSC-1
    SV-31461r1_rule OSX00450 MEDIUM OSX00450-Pair infrared receiver with a specific IR remote (if receiver was not disabled previously) If you use an Apple IR Remote Control, pair it to your computer by clicking Pair. When you pair it, no other IR remote can control your computer. IR receiver paired with a specific IR remote (if IR receiver was not disabled previously) System AdministratorECSC-1
    SV-31463r1_rule OSX00455 MEDIUM OSX00455-Allow only essential services through firewall. Allowing only essential services through the firewall alleviates the potential for unwanted services to run on the system and cuts down on system usage. System AdministratorECND-1
    SV-31465r1_rule OSX00460 MEDIUM OSX00460-Enable Firewall logging Enable Firewall Logging to provide information about firewall activity. System AdministratorECSC-1
    SV-31467r1_rule OSX00465 MEDIUM OSX00465-Enable Stealth Mode on the firewall (mobile platforms only) Enable Stealth Mode to prevent the computer from sending responses to uninvited traffic. System AdministratorECSC-1
    SV-31469r1_rule OSX00470 MEDIUM OSX00470-Do not allow DVD or CD Sharing Allows users of other computers to remotely use the DVD or CD drive on your computer. System AdministratorECCD-1
    SV-31471r1_rule OSX00475 MEDIUM OSX00475-Do not allow Screen Sharing Allows users of other computers to remotely view and control the computer. System AdministratorECCD-1
    SV-31473r1_rule OSX00480 MEDIUM OSX00480-Do not allow File Sharing Gives users of other computers access to each user’s Public folder. System AdministratorECCD-1
    SV-31475r1_rule OSX00485 MEDIUM OSX00485-Do not allow Printer Sharing Allows other computers to access a printer connected to this computer. System AdministratorECCD-1
    SV-31477r1_rule OSX00490 MEDIUM OSX00490-Do not allow Web Sharing Allows a network user to view websites located in /Sites. System AdministratorECCD-1
    SV-31479r1_rule OSX00495 MEDIUM OSX00495-Do not allow Remote Login This feature allows users to access the computer remotely.System AdministratorECCD-1
    SV-31483r1_rule OSX00500 MEDIUM OSX00500-Do not allow Remote Management Allows the computer to be accessed using Apple Remote Desktop. System AdministratorECCD-1
    SV-31486r1_rule OSX00505 MEDIUM OSX00505-Do not allow system to receive Remote Apple Events from other computers. Allows the computer to receive Apple events from other computers. System AdministratorECCD-1
    SV-31488r1_rule OSX00510 MEDIUM OSX00510-Do not allow Xgrid Sharing Allows computers on a network to work together in a grid to process a job. System AdministratorECCD-1
    SV-31490r1_rule OSX00515 MEDIUM OSX00515-Do not allow Internet Sharing Allows other users to connect with computers on your local network, through your Internet connection. System AdministratorECCD-1
    SV-31492r1_rule OSX00520 MEDIUM OSX00520-Do not allow Bluetooth Sharing Allows other Bluetooth-enabled computers and devices to share files with your computer. System AdministratorECCD-1, ECWN-1
    SV-31496r1_rule OSX00525 MEDIUM OSX00525-Configure Mail using SSL When setting up user mail accounts, select "use SSL" in advanced options. This setting is for the Mail app included with OS X. Instructions will be different for other mail applications, but all mail applications should be set up secured using some form of encryption. Note: if you are not using the Mac Mail application this check does not apply. System AdministratorECCT-1, ECCT-2
    SV-31498r1_rule OSX00530 LOW OSX00530-Disable iTunes Store iTunes store allows a user to purchase and download music, videos, and podcasts, which could inadvertently introduce malware on the system. Note: the fix must be performed for each user. System AdministratorECSC-1
    SV-31500r1_rule OSX00535 LOW OSX00535-Set Finder to always empty Trash securely In Mac OS X Leopard, you can configure Finder to always securely erase items placed in the Trash. This prevents data you’ve placed in the Trash from being restored.System AdministratorECRC-1
    SV-31505r1_rule OSX00540 MEDIUM OSX00540-Remove iDisk from Finder sidebar Your iDisk data is stored on Internet servers and is protected by your MobileMe account. However, if your MobileMe account is accessed by an unauthorized user, your data can be compromised. Don’t store sensitive data on iDisk. Keep sensitive data local and encrypted on your computer.System AdministratorECRC-1
    SV-31552r1_rule OSX00565 MEDIUM OSX00565-Set strong password policy options for managed users Setting a strong password for managed users will deter intruders from easily guessing the password and will provide greater protection against masquerading. System AdministratorECPA-1
    SV-31523r1_rule OSX00655 HIGH OSX00655-Disable root administrator account The most powerful user account in Mac OS X is the system administrator or root account. By default, the root account on Mac OS X is disabled and it is recommended you do not enable it. The root account is primarily used for performing UNIX commands. Generally, actions that involve critical system files require you to perform those actions as root. System AdministratorIAAC-1
    SV-31525r1_rule OSX00660 MEDIUM OSX00660-Physical Security Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. Physical security of the Automated Information System (AIS) must meet DoD requirements. System AdministratorPECF-2
    SV-31527r1_rule OSX00665 MEDIUM OSX00665-Shared User Accounts are not permitted on the system Shared accounts do not provide individual accountability for system access and resource usage. Shared user accounts are not permitted on the system. System AdministratorIAGA-1
    SV-31529r1_rule OSX00670 MEDIUM OSX00670-Operating System Updates Failure to install the most current operating system updates leaves a system vulnerable to exploitation. Current OS updates and patches correct known security and system vulnerabilities. If an OS is at an unsupported level this will be upgraded to a Category I finding since new vulnerabilities may not be patched. Note to administrators: Apple only supports the current major version and one previous major version of Mac OS X.If an OS is at an unsupported level this will be upgraded to a Category I finding since new vulnerabilities may not be patched. System AdministratorVIVM-1
    SV-31531r1_rule OSX00675 LOW OSX00675-System Recovery Backups Recovery of a damaged or compromised system in a timely basis is difficult without a system information backup. A system backup will usually include sensitivie information such as user accounts that could be used in an attack. As a valuable system resource, the system backup should be protected and stored in a physically secure location. System AdministratorCODB-1
    SV-31533r1_rule OSX00685 MEDIUM OSX00685-Emergency Administrator Account This check verifies that a backup administrator account has been created to ensure system availability in the event that no administrators are able or available to access the system.System AdministratorECPA-1
    SV-31535r1_rule OSX00690 MEDIUM OSX00690-Administrator Account Password Changes This check verifies that the passwords for the default and emergency administrator accounts are changed at least annually or when any member of the administrative team leaves the organization.System AdministratorECPA-1
    SV-31537r1_rule OSX00695 MEDIUM OSX00695-Application Account Passwords Setting application accounts to expire may cause applications to stop functioning. The site will have a policy that application account passwords manually generated and entered by a system administrator are changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding. System AdministratorECPA-1
    SV-31539r1_rule OSX00700 MEDIUM OSX00700-Enable Automatic Screen Saver initiation when token removed from machine Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. Note: if you are not using a smart card application this check does not apply. System AdministratorECSC-1
    SV-31541r1_rule OSX00680 MEDIUM OSX00680-Incorrect Permission for Event Logs Event logs are susceptible to unauthorized, and possibly anonymous, tampering if proper permissions are not applied. System AdministratorECTP-1
    SV-31599r1_rule OSX00705 MEDIUM OSX00705-Securely configure Spotlight Panel You can use Spotlight to search your computer for files. Spotlight searches the name, the meta-information associated with each file, and the contents of each file. Spotlight finds files regardless of their placement in the file system. You must still properly set access permissions on folders containing confidential files.System AdministratorECCD-1
    SV-31775r1_rule OSX00121 HIGH OSX00121-Disable clear text passwords for all LDAPv3 directories Disable the use of clear text passwords when accessing LDAPv3 directories.System AdministratorECCT-1, ECCT-2
    SV-31778r1_rule OSX00122 MEDIUM OSX00122-Digitally sign all LDAPv3 packets To protect the data between the client and LDAPv3 directory the traffic should be digitally sign.System AdministratorECCT-1, ECCT-2
    SV-31781r1_rule OSX00123 MEDIUM OSX00123-Encrypt all LDAPv3 packets To ensure data confidentially all traffic between the client and the LDAPv3 should be encrypted.System AdministratorECCT-1, ECCT-2
    SV-31783r1_rule OSX00124 MEDIUM OSX00124-LDAPv3 Block man-in-the-middle attacks To prevent LDAPv3 man-in-the-middle attacks the system must be properly configured.System AdministratorECCT-1, ECCT-2
    SV-31838r1_rule OSX00341 HIGH OSX00341-Do not allow computer to perform automatic actions for blank DVD To secure CDs and DVDs (blank), do not allow the computer to perform automatic actions when the user inserts a disc. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer.System AdministratorECCD-1
    SV-32237r1_rule OSX00012 MEDIUM OSX00012-Verify file permissions This command will check a very large number of files on the system against what the package manager's database indicates they should be. This command will catch improperly loosened permissions.System AdministratorDCSW-1
    SV-32239r1_rule OSX00467 MEDIUM OSX00467-Disable Bonjour Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.System AdministratorECSC-1
    SV-31262r1_rule OSX00010 MEDIUM OSX00010-Do not install unnecessary packages, check for installed packages and remove packages that are not needed. Removing unused packages frees disk space and reduces the risk of attackers finding vulnerabilities in unused components.System AdministratorECSC-1