MAC OSX 10.6 Workstation Security Technical Implementation Guide

U_MACOSX_10-6_V1R3_manual-xccdf.xml

Version/Release Published Filters Downloads Update
V1R3 2013-04-09      
Update existing CKLs to this version of the STIG
MAC OSX 10.6 Workstation Security Technical Implementation Guide
Vuln Rule Version CCI Severity Title Description
SV-37848r1_rule GEN000880 M6 CCI-000366 MEDIUM The root account must be the only account having a UID of “0”. If an account has a UID of “0”, it has root authority. Multiple accounts with a UID of “0” afford more opportunity for potential intruders to guess a password for a privileged account.System AdministratorECLP-1, IAIA-1, IAIA-2
SV-37853r1_rule GEN001140 M6 CCI-000225 MEDIUM System files and directories must not have uneven access permissions. Discretionary access control is undermined if users, other than a file owner, have greater access permissions to system files and directories than the owner.System AdministratorECCD-1, ECCD-2
SV-38181r1_rule GEN001160 M6 CCI-000366 MEDIUM All files and directories must have a valid owner. Non-ownership files and directories may be unintentionally inherited if a user is assigned the same UID as the UID of the non-ownership files.System AdministratorECCD-1, ECCD-2
SV-37882r1_rule GEN001180 M6 CCI-000225 MEDIUM All network services daemon files must have mode 0755 or less permissive. Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.System AdministratorECLP-1
SV-37890r1_rule GEN001260 M6 CCI-001314 MEDIUM System log files must have mode 644 or less permissive. If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.System AdministratorECTP-1
SV-37910r1_rule GEN001280 M6 CCI-000225 LOW Manual page files must have mode 0644 or less permissive. If manual pages are compromised, misleading information could be inserted causing actions to possibly compromise the system.System AdministratorECCD-1, ECCD-2
SV-37911r1_rule GEN001300 M6 CCI-001499 MEDIUM Library files must have mode 0755 or less permissive. Unauthorized access could destroy the integrity of the library files.System AdministratorDCSL-1
SV-37987r2_rule GEN001200 M6 CCI-001499 MEDIUM All system command files must have mode 0755 or less permissive. Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.Elevate to Severity Code I if any file listed is world-writable.System AdministratorECLP-1
SV-37988r1_rule GEN001220 M6 CCI-001499 MEDIUM All system files, programs, and directories must be owned by a system account. Restricting permissions will protect the files from unauthorized modification.System AdministratorECLP-1
SV-37989r1_rule GEN001240 M6 CCI-001499 MEDIUM System files, programs, and directories must be group-owned by a system group. Restricting permissions will protect the files from unauthorized modification.System AdministratorECLP-1
SV-37990r1_rule GEN001380 M6 CCI-000225 MEDIUM The /etc/passwd file must have mode 0644 or less permissive. If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.System AdministratorECLP-1
SV-37991r1_rule GEN002500 M6 CCI-000366 LOW The sticky bit must be set on all public directories. Failing to set the sticky bit on the public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access. System AdministratorECCD-1, ECCD-2
SV-37993r1_rule GEN002520 M6 CCI-000225 MEDIUM All public directories must be owned by root or an application account. If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access. System AdministratorECLP-1
SV-38619r1_rule GEN002680 M6 CCI-000162 MEDIUM System audit logs must be owned by root. Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.System AdministratorECTP-1
SV-38622r1_rule GEN002700 M6 CCI-000163 MEDIUM System audit logs must have mode 640 or less permissive. If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do not include activity, error, or other log files created by application software.System AdministratorECTP-1
SV-37996r1_rule GEN003760 M6 CCI-000225 MEDIUM The services file must be owned by root or bin. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-37997r1_rule GEN003780 M6 CCI-000225 MEDIUM The services file must have mode 0644 or less permissive. The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
SV-38010r1_rule GEN001860 M6 CCI-000225 MEDIUM All local initialization files must be owned by the user or root. Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.System AdministratorECLP-1
SV-38013r1_rule GEN001580 M6 CCI-000225 MEDIUM All run control scripts must have mode 0755 or less permissive. If the startup files are writable by other users, they could modify to insert malicious commands into the startup files.System AdministratorECLP-1
SV-38002r1_rule GEN002000 M6 CCI-000196 MEDIUM There must be no .netrc files on the system. Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts.System AdministratorECCD-1, ECCD-2, IAIA-1, IAIA-2
SV-38182r1_rule GEN001540 M6 CCI-000225 LOW All files and directories contained in interactive user home directories must be owned by the home directory's owner. If users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.trueInformation Assurance OfficerSystem AdministratorECCD-1, ECCD-2
SV-38014r1_rule GEN002200 M6 CCI-000225 MEDIUM All shell files must be owned by root. If shell files are owned by users other than root or bin, they could be modified by intruders or malicious users to perform unauthorized actions.System AdministratorECLP-1
SV-38015r1_rule GEN002220 M6 CCI-000225 HIGH All shell files must have mode 0755 or less permissive. Shells with world/group write permissions give the ability to maliciously modify the shell to obtain unauthorized access.System AdministratorECLP-1
SV-38017r1_rule GEN002280 M6 CCI-000225 MEDIUM Device files and directories must only be writable by users with a system account or as configured by the vendor. System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.System AdministratorECCD-1, ECCD-2, ECLP-1
SV-38158r2_rule GEN005900 M6 CCI-000225 MEDIUM The nosuid option must be enabled on all NFS client mounts. Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.Information Assurance ManagerInformation Assurance OfficerSystem AdministratorECPA-1
SV-38183r1_rule GEN006100 M6 CCI-000225 MEDIUM The /etc/smb.conf file must be owned by root. The /etc/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
SV-38184r1_rule GEN006140 M6 CCI-000225 MEDIUM The /etc/smb.conf file must have mode 0644 or less permissive. If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
SV-38632r1_rule GEN000800 M6 CCI-000200 MEDIUM The system must prohibit the reuse of passwords to 15 iterations. If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at the user's password until it was guessed correctly.System AdministratorIAIA-1, IAIA-2
SV-37845r1_rule GEN001660 M6 CCI-000225 MEDIUM All system start-up files must be owned by root. System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.System AdministratorECLP-1
SV-38018r1_rule GEN001680 M6 CCI-000225 MEDIUM All system start-up files must be group-owned by root, sys, bin, other, or system. If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.System AdministratorECLP-1
SV-38019r1_rule GEN003400 M6 CCI-000225 MEDIUM The "at" directory must have mode 0755 or less permissive. If the "at" directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the "at" directory. Unauthorized modifications could result in Denial of Service to authorized "at" jobs.System AdministratorECLP-1
SV-38021r1_rule GEN003420 M6 CCI-000225 MEDIUM The "at" directory must be owned by root, bin, or sys. If the owner of the "at" directory is not root, bin, or sys, unauthorized users could be allowed to view or edit files containing sensitive information within the directory.System AdministratorECLP-1
SV-38022r1_rule GEN003440 M6 CCI-000225 MEDIUM "At" jobs must not set the umask to a value less restrictive than 077. The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit number, the first digit representing special access modes is typically ignored or required to be “0”.trueSystem AdministratorInformation Assurance OfficerECCD-1, ECCD-2
SV-38024r1_rule GEN003480 M6 CCI-000225 MEDIUM The at.deny file must be owned by root, bin, or sys. If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
SV-38026r1_rule GEN003960 M6 CCI-000225 MEDIUM The traceroute command owner must be root. If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
SV-38027r1_rule GEN003980 M6 CCI-000225 MEDIUM The traceroute command must be group-owned by wheel. If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
SV-38028r1_rule GEN004000 M6 CCI-000225 MEDIUM The traceroute file must have mode 0700 or less permissive. If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
SV-38005r1_rule GEN004580 M6 CCI-000366 MEDIUM The system must not use .forward files. The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.System AdministratorECSC-1
SV-38030r1_rule GEN005400 M6 CCI-000225 MEDIUM The /etc/syslog.conf file must be owned by root. If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
SV-38051r1_rule GEN005420 M6 CCI-000225 MEDIUM The /etc/syslog.conf file must be group-owned by wheel. If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
SV-38052r1_rule GEN003820 M6 CCI-000068 HIGH The rsh daemon must not be running. The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.Information Assurance OfficerSystem AdministratorEBRU-1
SV-38054r1_rule GEN003840 M6 CCI-001435 HIGH The rexec daemon must not be running. The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.trueInformation Assurance OfficerSystem AdministratorEBRP-1, ECSC-1
SV-38055r1_rule GEN005280 M6 CCI-001436 MEDIUM The system must not have the UUCP service active. The UUCP utility is designed to assist in transferring files, executing remote commands, and sending email between UNIX systems over phone lines and direct connections between systems. The UUCP utility is a primitive and arcane system with many security issues. There are alternate data transfer utilities/products that can be configured to more securely transfer data by providing for authentication, as well as encryption.System AdministratorECSC-1
SV-38057r2_rule GEN003860 M6 CCI-001551 LOW The system must not have the finger service active. The finger service provides information about the system's users to network clients. This information could expose information to be used in subsequent attacks.System AdministratorDCPP-1, EBRU-1
SV-38058r1_rule GEN001720 M6 CCI-000225 MEDIUM All global initialization files must have mode 0644 or less permissive. Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.System AdministratorECLP-1
SV-38060r1_rule GEN001740 M6 CCI-000225 MEDIUM All global initialization files must be owned by root. Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38061r1_rule GEN001760 M6 CCI-000225 MEDIUM All global initialization files must be group-owned by wheel. Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to the group wheel provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38186r1_rule GEN005600 M6 CCI-000366 MEDIUM IP forwarding for IPv4 must not be enabled, unless the system is a router. If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.System AdministratorECSC-1
SV-38067r1_rule GEN006000 M6 CCI-000366 MEDIUM The system must not have a public Instant Messaging (IM) client installed. Public IM systems are not approved for use and may result in the unauthorized distribution of information. IM clients provide a way for a user to send a message to one or more users in real time. Additional capabilities may include file transfer and support for distributed game playing. Communication between clients and associated directory services are managed through messaging servers. Commercial IM clients include AOL Instant Messenger (AIM), MSN Messenger, and Yahoo! Messenger. IM clients present a security issue when the clients route messages through public servers. The obvious implication is for potentially sensitive information to be intercepted or altered in the course of transmission. This same issue is associated with the use of public email servers. In order to reduce the potential for disclosure of sensitive Government information and to ensure the validity of official Government information, IM clients connecting to public IM services will not be installed. Clients used to access internal or DoD-controlled IM services are permitted. System AdministratorECIM-1
SV-38068r1_rule GEN006040 M6 CCI-001436 MEDIUM The system must not have any peer-to-peer file-sharing application installed. Peer-to-peer file-sharing software can result in the unintentional exfiltration of information. There are also many legal issues associated with these types of utilities including copyright infringement or other intellectual property issues. The ASD Memo "Use of Peer-to-Peer (P2P) File-Sharing Applications across the DoD" states the following: “P2P file-sharing applications are authorized for use on DOD networks with approval by the appropriate Designated Approval Authority (DAA). Documented requirements, security architecture, configuration management process, and a training program for users are all requirements within the approval process. The unauthorized use of application or services, including P2P applications, is prohibited, and such applications or services must be eliminated.” Peer-to-peer applications include, but are not limited to: -Napster, -Kazaa, -ARES, -Limewire, -IRC Chat Relay, and -BitTorrent.System AdministratorDesignated Approving AuthorityDCPD-1, ECSC-1
SV-38187r1_rule GEN001170 M6 CCI-000366 MEDIUM All files and directories must have a valid group owner. Files without a valid group owner may be unintentionally inherited if a group is assigned the same GID as the GID of the files without a valid group owner.System AdministratorECSC-1
SV-38070r1_rule GEN001190 M6 CCI-000225 MEDIUM All network services daemon files must not have extended ACLs. Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.System AdministratorECLP-1
SV-38072r1_rule GEN001210 M6 CCI-001499 MEDIUM System command files must not have extended ACLs. Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths. System AdministratorECLP-1
SV-38073r1_rule GEN001270 M6 CCI-001314 MEDIUM System log files must not have extended ACLs, except as needed to support authorized software. If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value. Authorized software may be given log file access through the use of extended ACLs when needed and configured to provide the least privileges required.trueSystem AdministratorECLP-1, ECTP-1
SV-38074r1_rule GEN001290 M6 CCI-000225 LOW All manual page files must not have extended ACLs. If manual pages are compromised, misleading information could be inserted causing actions to possibly compromise the system.System AdministratorECLP-1
SV-38075r1_rule GEN001310 M6 CCI-001499 MEDIUM All library files must not have extended ACLs. Unauthorized access could destroy the integrity of the library files.System AdministratorECLP-1
SV-38077r1_rule GEN001362 M6 CCI-000225 MEDIUM The /etc/resolv.conf file must be owned by root. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging. System AdministratorECLP-1
SV-38078r1_rule GEN001363 M6 CCI-000225 MEDIUM The /etc/resolv.conf file must be group-owned by wheel. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38079r1_rule GEN001364 M6 CCI-000225 MEDIUM The /etc/resolv.conf file must have mode 0644 or less permissive. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38081r1_rule GEN001365 M6 CCI-000225 MEDIUM The /etc/resolv.conf file must not have an extended ACL. The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38082r1_rule GEN001366 M6 CCI-000225 MEDIUM The /etc/hosts file must be owned by root. The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38083r1_rule GEN001367 M6 CCI-000225 MEDIUM The /etc/hosts file must be group-owned by wheel. The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38085r1_rule GEN001368 M6 CCI-000225 MEDIUM The /etc/hosts file must have mode 0644 or less permissive. The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38086r1_rule GEN001369 M6 CCI-000225 MEDIUM The /etc/hosts file must not have an extended ACL. The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
SV-38766r1_rule GEN001375 M6 CCI-001182 LOW For systems using DNS resolution, at least two name servers must be configured. To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECSC-1
SV-38087r1_rule GEN001378 M6 CCI-000225 MEDIUM The /etc/passwd file must be owned by root. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
SV-38088r1_rule GEN001379 M6 CCI-000225 MEDIUM The /etc/passwd file must be group-owned by wheel. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
SV-38089r1_rule GEN001390 M6 CCI-000225 MEDIUM The /etc/passwd file must not have an extended ACL. File system ACLs can provide access to files beyond what is allowed by the mode numbers of the files. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
SV-38090r1_rule GEN001391 M6 CCI-000225 MEDIUM The /etc/group file must be owned by root. The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38091r1_rule GEN001392 M6 CCI-000225 MEDIUM The /etc/group file must be group-owned by wheel. The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38092r1_rule GEN001393 M6 CCI-000225 MEDIUM The /etc/group file must have mode 0644 or less permissive. The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38093r1_rule GEN001394 M6 CCI-000225 MEDIUM The /etc/group file must not have an extended ACL. The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
SV-38094r1_rule GEN001490 M6 CCI-000225 LOW User home directories must not have extended ACLs. Excessive permissions on home directories allow unauthorized access to user files.System AdministratorECLP-1
SV-38215r1_rule GEN001550 M6 CCI-000225 MEDIUM All files and directories contained in user home directories must be group-owned by a group where the home directory's owner is a member. If a user's files are group-owned by a group where the user is not a member, unintended users may be able to access them.System AdministratorECLP-1
SV-38095r1_rule GEN001570 M6 CCI-000225 MEDIUM All files and directories contained in user home directories must not have extended ACLs. Excessive permissions allow unauthorized access to user files.System AdministratorECLP-1
SV-38096r1_rule GEN001590 M6 CCI-000225 MEDIUM Launch control scripts must not have extended ACLs. If the launch control scripts are writable by other users, they could modify to insert malicious commands into the startup files.System AdministratorECLP-1
SV-38098r1_rule GEN002230 M6 CCI-000225 MEDIUM All shell files must not have extended ACLs. Shells with world/group-write permissions give the ability to maliciously modify the shell to obtain unauthorized access.System AdministratorECLP-1
SV-38102r1_rule GEN002710 M6 CCI-000163 MEDIUM All system audit files must not have extended ACLs. If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.System AdministratorECTP-1
SV-38103r1_rule GEN002718 M6 CCI-001493 LOW System audit tool executables must not have extended ACLs. To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.System AdministratorECLP-1
SV-38105r1_rule GEN002990 M6 CCI-000225 MEDIUM The cron.allow file must not have an extended ACL. A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.System AdministratorECLP-1
SV-38107r1_rule GEN003050 M6 CCI-000225 MEDIUM Crontab files must be group-owned by wheel, cron, or the crontab creator's primary group. To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.System AdministratorECLP-1
SV-38110r1_rule GEN003090 M6 CCI-000225 MEDIUM Crontab files must not have extended ACLs. To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on crontab files may provide unauthorized access to the files.System AdministratorECLP-1
SV-38112r1_rule GEN003110 M6 CCI-000225 MEDIUM Cron and crontab directories must not have extended ACLs. To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on cron and crontab directories may provide unauthorized access to these directories. Unauthorized modifications to these directories or their contents may result in the addition of unauthorized cron jobs or deny service to authorized cron jobs. System AdministratorECLP-1
SV-38115r1_rule GEN003210 M6 CCI-000225 MEDIUM The cron.deny file must not have an extended ACL. If there are excessive file permissions for the cron.deny file, sensitive information could be viewed or edited by unauthorized users.System AdministratorECLP-1
SV-38117r1_rule GEN003250 M6 CCI-000225 MEDIUM The cron.allow file must be group-owned by wheel. If the group of the cron.allow is not set to wheel, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
SV-38119r1_rule GEN003270 M6 CCI-000225 MEDIUM The cron.deny file must be group-owned by wheel. The cron daemon control files and restricts the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
SV-38198r1_rule GEN003510 M6 CCI-000366 MEDIUM Kernel core dumps must be disabled unless needed. Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.System AdministratorECSC-1
SV-38200r1_rule GEN003602 M6 CCI-001551 LOW The system must not process Internet Control Message Protocol (ICMP) timestamp requests. The processing of ICMP timestamp requests increases the attack surface of the system.System AdministratorECSC-1
SV-38201r1_rule GEN003603 M6 CCI-001551 MEDIUM The system must not respond to Internet Control Message Protocol (ICMPv4) echoes sent to a broadcast address. Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.System AdministratorECSC-1
SV-38202r1_rule GEN003606 M6 CCI-001551 MEDIUM The system must prevent local applications from generating source-routed packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.System AdministratorECSC-1
SV-38203r1_rule GEN003607 M6 CCI-001551 MEDIUM The system must not accept source-routed IPv4 packets. Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.System AdministratorECSC-1
SV-38204r1_rule GEN003609 M6 CCI-001503 MEDIUM The system must ignore IPv4 ICMP redirect messages. ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.System AdministratorECSC-1
SV-38205r1_rule GEN003610 M6 CCI-001551 MEDIUM The system must not send IPv4 ICMP redirects. ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.System AdministratorECSC-1
SV-38122r1_rule GEN003770 M6 CCI-000225 MEDIUM The services file must be group-owned by wheel. Failure to give ownership of system configuration files to a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
SV-38124r1_rule GEN003790 M6 CCI-000225 MEDIUM The services file must not have an extended ACL. The services file is critical to the proper operation of network services and must be protected from unauthorized modification. If the services file has an extended ACL, it may be possible for unauthorized users to modify the file. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
SV-38127r1_rule GEN004010 M6 CCI-000225 MEDIUM The traceroute file must not have an extended ACL. If an extended ACL exists on the traceroute executable file, it may provide unauthorized users with access to the file. Malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
SV-38128r1_rule GEN004370 M6 CCI-000225 MEDIUM The aliases file must be group-owned by wheel. If the alias file is not group-owned by a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.System AdministratorECLP-1
SV-38131r1_rule GEN004390 M6 CCI-000225 MEDIUM The alias file must not have an extended ACL. Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.System AdministratorECLP-1
SV-38133r1_rule GEN005395 M6 CCI-000225 MEDIUM The /etc/syslog.conf file must not have an extended ACL. Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.System AdministratorECLP-1
SV-39360r1_rule GEN005505 M6 CCI-000068 MEDIUM The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.System AdministratorDCNR-1
SV-39364r1_rule GEN005506 M6 CCI-000366 MEDIUM The SSH daemon must be configured to not use CBC ciphers. The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plaintext attacks and must not be used.System AdministratorECSC-1
SV-39369r2_rule GEN005507 M6 CCI-001453 MEDIUM The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System AdministratorDCNR-1
SV-39371r1_rule GEN005510 M6 CCI-000068 MEDIUM The SSH client must be configured to only use FIPS 140-2 approved ciphers. DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.System AdministratorDCNR-1
SV-39374r1_rule GEN005511 M6 CCI-000366 MEDIUM The SSH client must be configured to not use CBC-based ciphers. The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plaintext attacks and must not be used.System AdministratorECSC-1
SV-39376r1_rule GEN005512 M6 CCI-001453 MEDIUM The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System AdministratorDCNR-1
SV-38135r1_rule GEN006150 M6 CCI-000225 MEDIUM The /etc/smb.conf file must not have an extended ACL. Excessive permissions could endanger the security of the Samba configuration file and, ultimately, the system and network.System AdministratorECLP-1
SV-38138r1_rule GEN006565 M6 CCI-000366 MEDIUM The system package management tool must be used to verify system software periodically. Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package management tools. System AdministratorECAT-1
SV-38139r1_rule GEN006570 M6 CCI-001297 LOW The file integrity tool must be configured to verify ACLs. ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.System AdministratorECAT-1
SV-38141r1_rule GEN006571 M6 CCI-001297 LOW The file integrity tool must be configured to verify extended attributes. Extended attributes in file systems are used to contain arbitrary data and file metadata potentially having security implications.System AdministratorECAT-1
SV-38142r1_rule GEN008060 M6 CCI-000225 MEDIUM If the system is using LDAP for authentication or account information the /etc/openldap/ldap.conf (or equivalent) file must have mode 0644 or less permissive. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38155r1_rule GEN008080 M6 CCI-000225 MEDIUM If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be owned by root. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38156r1_rule GEN008100 M6 CCI-000225 MEDIUM If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be group-owned by wheel. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-38157r1_rule GEN008120 M6 CCI-000225 MEDIUM If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must not have an extended ACL. LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
SV-39384r1_rule GEN008540 M6 CCI-001109 MEDIUM The system's local firewall must implement a deny-all, allow-by-exception policy. A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.System AdministratorECSC-1
SV-38144r1_rule GEN002690 M6 CCI-000162 MEDIUM System audit logs must be group-owned by wheel. Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.System AdministratorECLP-1, ECTP-1
SV-38213r1_rule GEN003850 M6 CCI-000197 HIGH The telnet daemon must not be running. The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised.System AdministratorDCPP-1
SV-37149r1_rule OSX00010 M6 MEDIUM Unnecessary packages must not be installed. Removing unused packages frees disk space and reduces the risk of attackers finding vulnerabilities in unused components.System AdministratorECSC-1
SV-37153r1_rule OSX00015 M6 MEDIUM Administrator accounts must be created with difficult-to-guess names. The administrator account has unlimited privileges to the system. Creating a complex name improves the protection of this account and the system. Do not use administrator; do not use the name of the machine, etc.System AdministratorIAIA-1, IAIA-2
SV-37158r1_rule OSX00020 M6 MEDIUM A maximum password age must be set. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.System AdministratorIAIA-1, IAIA-2
SV-37172r1_rule OSX00030 M6 MEDIUM A minimum password length must be set. Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password and gain access to the system, and cause the device, information, or the local network to be compromised or a Denial of Service.System AdministratorIAIA-1, IAIA-2
SV-37177r1_rule OSX00040 M6 MEDIUM Newly created password content must be checked. Configure the local system to verify newly created passwords do not contain user's account name or parts of the user's full name exceeding two consecutive characters.System AdministratorIAIA-1, IAIA-2
SV-37184r1_rule OSX00045 M6 MEDIUM Account lockout duration must be properly configured. This parameter specifies the amount of time that must pass between two successive login attempts to ensure a lockout will occur. The smaller this value is, the less effective the account lockout feature will be in protecting the local system. System AdministratorECLO-1, ECLO-2
SV-37186r1_rule OSX00050 M6 MEDIUM Account lockout threshold must be properly configured. The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of incorrect logon attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon. System AdministratorECLO-1, ECLO-2
SV-37190r1_rule OSX00055 M6 MEDIUM All application software must be current. Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered. It is essential these updates be applied in a timely manner to prevent unauthorized persons from exploiting identified vulnerabilities. If the application software is no longer supported it should be updated or removed.If any of the patches not installed are ‘Critical’, then this should be elevated to a Category 1.System AdministratorVIVM-1
SV-37193r1_rule OSX00060 M6 MEDIUM Wi-Fi support software must be disabled. Many organizations restrict the use of wireless technology in their network environment. However, most Mac computers have wireless capability built-in and simply turning it off may not meet the organization’s wireless technology restrictions. Components may need to be removed from Mac OS X to disable them from being turned on in System Preferences. Although wireless technology gives a network more flexibility with its users, it can also cause security vulnerabilities most may be unaware of. It is recommended wherever possible, wireless access is disabled for security reasons. IMPORTANT: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
SV-37198r1_rule OSX00065 M6 MEDIUM Bluetooth support software must be disabled. Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as Denial of Service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. Remove Bluetooth support for peripherals such as keyboards, mice, or phones. This task requires administrator privileges. IMPORTANT: Repeat these instructions every time a system update is installed. Support should be removed at kext level.System AdministratorECSC-1
SV-38509r1_rule OSX00070 M6 MEDIUM Audio recording support software must be disabled. A computer might be in an environment where recording devices, such as cameras or microphones are not permitted. Protect the organization’s privacy by disabling these devices. Remove support for the audio subsystem. This may disable audio playback. IMPORTANT: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
SV-37201r1_rule OSX00075 M6 MEDIUM Video recording support software must be disabled. A computer might be in an environment where recording devices, such as cameras or microphones, are not permitted. Protect the organization’s privacy by disabling these devices. Remove support for an external or built-in iSight camera. NOTE: The support for external iSight cameras should be removed on all machines. Removing only support for internal iSight cameras would still leave support for external cameras available. An Apple Authorized Technician can also remove the built-in video camera hardware from an Apple computer. IMPORTANT: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
SV-37206r1_rule OSX00090 M6 MEDIUM Infrared (IR) support must be removed. To prevent unauthorized users from controlling a computer through the infrared receiver, remove IR hardware support. This task requires administrator privileges. An Apple Authorized Technician can also remove IR hardware from an Apple computer. IMPORTANT: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
SV-38510r1_rule OSX00095 M6 HIGH An Extensible Firmware Interface (EFI) password must be used. When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is the software link between the motherboard hardware and the software operating system. EFI determine which partition or disk to load Mac OS X from. It also determines whether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.System AdministratorECSC-1
SV-38556r1_rule OSX00100 M6 MEDIUM Access warning for the login window must be present. Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. A login window or Terminal access warning can be used to provide notice of a computer’s ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring.System AdministratorECWM-1
SV-38513r1_rule OSX00105 M6 MEDIUM Access warning for the command line must be present. Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. When a user opens a terminal locally or connects to the computer remotely, the user sees the access warning.System AdministratorECWM-1
SV-38614r1_rule OSX00110 M6 HIGH sudo usage must be restricted to a single terminal, and for only one sudo instance at a time. Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. These limit the use of the sudo command to a single command per authentication and also ensure, even if a timeout is activated, that later sudo commands are limited to the terminal in which authentication occurred. System AdministratorECSC-1
SV-38514r1_rule OSX00115 M6 MEDIUM LDAPv3 access must be securely configured (if it is used). When configuring LDAPv3, do not add DHCP supplied LDAP servers to automatic search policies if the network the computer is running on is not secure. If the network is unsecure, someone can create a rogue DHCP.System AdministratorECCT-1, ECCT-2
SV-38516r1_rule OSX00120 M6 MEDIUM LDAP Authentication must use authentication when connecting to LDAPv3. When configuring LDAPv3, do not add DHCP-supplied LDAP servers to automatic search policies if the network the computer is running on is not secure. If the network is unsecure, someone can create a rogue DHCP. Use authentication when connecting to LDAPv3 directories; disable clear text passwords for all LDAPv3 directories; digitally sign all LDAPv3 packets (requires Kerberos); encrypt all LDAPv3 packets (requires SSL or Kerberos); and block man-in-the-middle attacks (requires Kerberos).System AdministratorDCNR-1, ECCT-1, ECCT-2
SV-38518r1_rule OSX00125 M6 HIGH Active Directory Access must be securely configured. The “Allow administration by” setting should not be used in sensitive environments. It can cause unintended privilege escalation issues because any member of the group specified will have administrator privileges on a computer.System AdministratorDCNR-1, ECCT-1, ECCT-2
SV-37208r1_rule OSX00135 M6 MEDIUM POSIX access permissions must be assigned based on user categories. POSIX access permissions must be assigned based on user categories. Changing permissions on a user's home directory from 750 to 700 will disable Apple file sharing. User's home directory POSIX permissions should be set to 700. System AdministratorECSC-1
SV-38520r1_rule OSX00140 M6 MEDIUM Security auditing must be enabled. Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and the methods used for successful and failed access attempts.System AdministratorECAR-1, ECAR-2, ECAR-3
SV-38521r1_rule OSX00145 M6 MEDIUM Security auditing must be configured. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, has begun, or is about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Without an audit trail providing information as to what occurred and if it was successful or unsuccessful, it is difficult to analyze a series of events to determine the steps used by an attacker to compromise a system or network, or what exactly happened that led to a Denial of Service. Collecting data such as the successful and unsuccessful events is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.System AdministratorECAR-1, ECAR-2, ECAR-3
SV-38522r1_rule OSX00150 M6 MEDIUM Local logging must be enabled. Logging is essential for tracking system events, in the event of unauthorized access, logs may contain information about how and when the access occurred. Ensure logging is enabled and log files are properly rotated. The default configuration in /etc/newsyslog.conf is used to configure local logging in the /var/log folder. The computer is set to rotate log files using the periodic launchd job according to time intervals specified in the /etc/newsyslog.conf file.System AdministratorECAR-1, ECAR-2, ECAR-3
SV-38523r1_rule OSX00155 M6 MEDIUM Remote logging must be enabled. In addition to local logging, remote logging must also be enabled. Local logs can be altered if the computer is compromised. Remote logging mitigates the risk of having the logs altered. System AdministratorECAR-1, ECAR-2, ECAR-3
SV-38524r1_rule OSX00160 M6 HIGH An antivirus tool must be installed. Installing antivirus tools helps prevent virus infection on a computer, and helps prevent a computer from becoming a host used to spread viruses to other computers. These tools quickly identify suspicious content and compare them to known malicious content. See the https://www.cybercom.mil web site for approved antivirus tools.System AdministratorECVP-1
SV-38525r1_rule OSX00165 M6 MEDIUM Prevent root login must be securely configured in /etc/sshd_config. Prevents logging in as root through SSH. This should be set for all SSH methods of authenticating. System AdministratorCOBR-1, ECPA-1
SV-38526r1_rule OSX00170 M6 LOW Login Grace Time must be securely configured in /etc/sshd_config. This setting controls the time allowed to authenticate over an ssh connection. It is recommended the value be set to 30 seconds or less. By allowing a connection to stay open for longer periods of time could allow an attacker to take advantage of the port.System AdministratorECSC-1
SV-37209r1_rule OSX00175 M6 MEDIUM /etc/sshd_config - Protocol version must be securely configured. Restricts OpenSSH so it uses only SSH Protocol 2. This should be set for all SSH methods of authenticating. System AdministratorECSC-1
SV-40699r1_rule OSX00180 M6 HIGH OSX00180-SSH must not allow empty passwords. Denies access to accounts without passwords. This should be set for all SSH methods of authenticating.System AdministratorECSC-1
SV-38527r1_rule OSX00190 M6 MEDIUM The MobileMe preference pane must be removed from System Preferences. Remove the MobileMe preference pane from System Preferences. MobileMe is a suite of Internet tools capable of synchronizing data and other important information while an individual is away from the computer, sensitive environments do not use MobileMe. If critical data must be stored, only store it on a local computer. Data should only be transferred over a secure network connection to a secure internal server. If MobileMe is used, enable it only for user accounts without access to critical data. It is not recommended to enable MobileMe for administrator or root user accounts. System AdministratorECSC-1
SV-38528r1_rule OSX00195 M6 MEDIUM The Software Update Server URL must be assigned to an organizational value. A computer can look for software updates on an internal software update server (SUS). Using an internal software update server reduces the amount of data transferred outside of the network. The organization can control which updates can be installed on a computer.System AdministratorVIVM-1
SV-37214r1_rule OSX00200 M6 MEDIUM The ability for administrative accounts to unlock screen saver must be disabled. The default setting creates a possible point of attack, because the more users in the admin group the more dependent on those users to protect their user names and passwords. By changing the rule in “system.login.screensaver” to “authenticatesession-owner”, users of the admin group cannot unlock the screen saver.System AdministratorECPA-1, PESL-1
SV-38223r1_rule OSX00215 M6 MEDIUM Setuid bit must be removed from Apple Remote Desktop. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38233r1_rule OSX00255 M6 MEDIUM The setuid bit must be removed from the IPC Statistics. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38235r1_rule OSX00260 M6 MEDIUM The setuid bit from Remote Access (unsecure) must be removed. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38237r1_rule OSX00265 M6 MEDIUM The setuid bit from rlogin must be removed. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38238r1_rule OSX00270 M6 MEDIUM The setuid bit from Remote Access shell (unsecure) must be removed. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38239r1_rule OSX00275 M6 MEDIUM The setuid bit from System Activity Reporting must be removed. Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
SV-38529r1_rule OSX00280 M6 LOW The correct date and time must be set. Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. System AdministratorECSC-1
SV-38530r1_rule OSX00285 M6 LOW A secure time server must be referenced. Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. Date and time preferences can be used to set the date and time based on a Network Time Protocol (NTP) server. If you require automatic date and time, use a trusted, internal NTP server. System AdministratorECSC-1
SV-38531r1_rule OSX00290 M6 MEDIUM The Auto Update feature must be disabled. By disabling automatic updates, updates can be downloaded and tested in a non production environment before they are distributed to the production workstations. This reduces the risk of accidental or malicious software updates being applied before they are properly tested.System AdministratorECSC-1
SV-37218r1_rule OSX00295 M6 MEDIUM The guest account must be disabled. The guest account is used to give a user temporary access to a computer. The guest account should be disabled by default because it does not require a password to login on the computer. If this account is enabled and is not securely configured malicious users can gain access to a computer without the use of a password. System AdministratorIAAC-1
SV-37219r1_rule OSX00300 M6 MEDIUM Shared folders must be disabled. Whether or not the guest account itself is enabled, disable guest account access to shared files and folders by deselecting the “Allow guest to connect to shared folders” checkbox. If the guest account is permitted to access shared folders, an attacker can easily attempt to access shared folders without a password.System AdministratorECAN-1, ECSC-1
SV-37221r1_rule OSX00310 M6 MEDIUM Login window must be properly configured. If not properly configured, the logon screen provides a list of local user names available for logon. A user could use this information to attempt to login as a different user. System AdministratorECSC-1
SV-37225r1_rule OSX00320 M6 HIGH Input menu must not be shown in login window. Showing input in the login window could compromise the integrity of the information, and could also allow someone shoulder surfing to gain unauthorized access to the system.System AdministratorIAAC-1
SV-37226r1_rule OSX00325 M6 HIGH The system must be configured to not show password hints. Providing information in the password hint field could compromise the integrity of the password. Showing password hint could allow someone shoulder surfing to gain information leading to unauthorized access to the system. System AdministratorIAAC-1
SV-37229r1_rule OSX00330 M6 MEDIUM Fast User Switching must be disabled. Fast User Switching allows multiple users to log in simultaneously. This makes it difficult to track user actions and allows users to run malicious applications in the background while another user is using the computer.System AdministratorIAAC-1
SV-38532r1_rule OSX00335 M6 HIGH The password-related hint field must not be used. If a hint is provided, the user is presented with the hint after three failed authentication attempts. Password-related information provided in the field could compromise the integrity of the password. Adding contact information for your organization’s technical support is convenient and does not compromise password integrity.System AdministratorIAAC-1
SV-37230r1_rule OSX00340 M6 HIGH Automatic actions must be disabled for blank CDs. To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
SV-37231r1_rule OSX00345 HIGH Automatic actions must be disabled for music CDs. To secure CDs and DVDs (music), do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
SV-37235r1_rule OSX00350 M6 HIGH Automatic actions must be disabled for picture CDs. To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
SV-37236r1_rule OSX00355 M6 HIGH Automatic actions must be disabled for video DVDs. To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
SV-38533r1_rule OSX00360 M6 MEDIUM System must have a password-protected screen saver configured to DoD requirements. User needs to configure a password-protected screen saver to prevent unauthorized users from accessing unattended computers. A short inactivity interval should also be set to decrease the amount of time the unattended computer is unlocked. System AdministratorPESL-1
SV-37242r1_rule OSX00375 M6 MEDIUM The ability to use corners to disable the screen saver must be disabled. A computer should require authentication when waking from sleep or screen saver. Exposé & Spaces preferences can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen. Do not configure a corner to disable the screen saver.System AdministratorPESL-1
SV-38535r1_rule OSX00380 M6 MEDIUM Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer. System AdministratorECSC-1
SV-37245r1_rule OSX00385 M6 MEDIUM Unused hardware devices must be disabled for AirPort. It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
SV-38536r1_rule OSX00390 M6 MEDIUM Unused hardware devices must be disabled for Bluetooth. It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
SV-38538r1_rule OSX00395 M6 MEDIUM Unused hardware devices must be disabled for Firewire. It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (Firewire) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
SV-37247r1_rule OSX00400 M6 MEDIUM System Preferences must be securely configured so IPv6 is turned off if not being used. It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
SV-38560r1_rule OSX00420 M6 MEDIUM A password must be required to wake a computer from sleep or screen saver. Require a password to wake a computer from sleep or screen saver. This helps prevent unauthorized access on unattended computers. Although there is a lock button for Security references, users do not need to be authorized as an administrator to make changes. Enable this password requirement for every user account on the computer.System AdministratorPESL-1
SV-37251r1_rule OSX00425 M6 HIGH Automatic login must be disabled. Disabling automatic login is necessary for any level of security. If automatic login is enabled, an intruder can log in without authenticating. Even automatically logging in with a restricted user account, it is still easier to perform malicious actions on the computer.System AdministratorIAAC-1
SV-37254r1_rule OSX00430 M6 MEDIUM A password must be required to unlock each System Preference Pane. Some system preferences are unlocked when logged in with an administrator account. By requiring a password, digital token, smart card, or biometric reader to unlock secure system preferences, this requires extra authentication. System AdministratorECSC-1
SV-37262r1_rule OSX00435 M6 LOW Automatic logout due to inactivity must be disabled. Although some might want to enable automatic logout based on inactivity, there are reasons why this feature should be disabled. First, it can disrupt workflow. Second, it can close applications or processes without approval (but a password-protected screen saver will not close applications). Third, because automatic logout can be interrupted, it provides a false sense of security. System AdministratorECSC-1
SV-37263r1_rule OSX00440 M6 MEDIUM Secure virtual memory must be used. Use secure virtual memory. The system’s virtual memory swap file stores inactive physical memory contents, freeing physical memory. By default on some systems, the swap file is unencrypted. This file can contain confidential data, such as documents and passwords. Using secure virtual memory will secure the swap file at a cost of slightly slower speed (because Mac OS X must encrypt and decrypt the secure swap file).System AdministratorECRC-1
SV-38561r1_rule OSX00445 M6 MEDIUM Remote control infrared receiver must be disabled. If not using a remote control, disable the infrared receiver. This prevents unauthorized users from controlling a computer through the infrared receiver.System AdministratorECSC-1
SV-38563r1_rule OSX00455 M6 MEDIUM Only essential services must be allowed through firewall. Allowing only essential services through the firewall alleviates the potential for unwanted services to run on the system, and cuts down on system usage. System AdministratorECND-1
SV-37266r1_rule OSX00465 M6 MEDIUM Stealth Mode must be enabled on the firewall. Enable Stealth Mode to prevent the computer from sending responses to uninvited traffic. System AdministratorECSC-1
SV-37268r1_rule OSX00470 M6 MEDIUM DVD or CD Sharing must be disabled. DVD or CD sharing must be disabled because it allows users of other computers to remotely use the DVD or CD drive on a computer. System AdministratorECCD-1
SV-37273r1_rule OSX00475 M6 MEDIUM Screen Sharing must be disabled. Screen sharing must be disabled because it allows users of other computers to remotely view and control the computer. System AdministratorECCD-1
SV-37274r1_rule OSX00480 M6 MEDIUM File Sharing must be disabled. File sharing must be disabled because it gives users of other computers access to each user’s Public folder.System AdministratorECCD-1
SV-37278r1_rule OSX00485 M6 MEDIUM Printer Sharing must be disabled. Printer sharing must be disabled because it allows other computers to access a printer connected to the computer.System AdministratorECCD-1
SV-37282r1_rule OSX00490 M6 MEDIUM Web Sharing must be disabled. Web Sharing must be disabled because it allows a network user to view websites located in /Sites. System AdministratorECCD-1
SV-37284r1_rule OSX00495 M6 MEDIUM Remote Login must be disabled. Remote Login must be disabled because it allows users to access the computer remotely.System AdministratorECCD-1
SV-37288r1_rule OSX00500 M6 MEDIUM Apple Remote Desktop must be disabled. Apple Remote Desktop must be disabled because it allows the computer to be accessed using Apple Remote Desktop.System AdministratorECCD-1
SV-37290r1_rule OSX00505 M6 MEDIUM Remote Apple Events must be disabled. Remote Apple Events must be disabled because it allows the computer to receive Apple events from other computers.System AdministratorECCD-1
SV-37293r1_rule OSX00510 M6 MEDIUM Xgrid Sharing must be disabled. Xgrid Sharing must be disabled because it allows computers on a network to work together in a grid to process a job.System AdministratorECCD-1
SV-37296r1_rule OSX00515 M6 MEDIUM Internet Sharing must be disabled. Internet Sharing must be disabled because it allows other users to connect with computers on your local network, through your internet connection.System AdministratorECCD-1
SV-37299r1_rule OSX00520 M6 MEDIUM Bluetooth Sharing must be disabled. Bluetooth Sharing must be disabled because it allows other Bluetooth-enabled computers and devices to share files with your computer.System AdministratorECCD-1, ECWN-1
SV-38567r1_rule OSX00525 M6 MEDIUM Mail must be configured using SSL. When setting up user mail accounts, select "use SSL" in advanced options. This setting is for the Mail app included with OS X. Instructions will be different for other mail applications, but all mail applications should be set up secured using some form of encryption. System AdministratorECCT-1, ECCT-2
SV-37301r1_rule OSX00530 M6 LOW iTunes Store must be disabled. iTunes store allows a user to purchase and download music, videos, and podcasts, which could inadvertently introduce malware on the system. NOTE: The fix must be performed for each user.System AdministratorECSC-1
SV-37303r1_rule OSX00535 M6 LOW Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.System AdministratorECRC-1
SV-37308r1_rule OSX00540 M6 MEDIUM iDisk must be removed from Finder sidebar. iDisk data is stored on Internet servers and is protected by MobileMe account. However, if MobileMe account is accessed by an unauthorized user, data can be compromised. Do not store sensitive data on iDisk. Keep sensitive data local and encrypted on a computer.System AdministratorECRC-1
SV-38568r1_rule OSX00655 M6 HIGH The root account must be disabled. The most powerful user account in Mac OS X is the system administrator or root account. By default, the root account on Mac OS X is disabled and it is recommended to not enable it. The root account is primarily used for performing UNIX commands. Generally, actions involving critical system files require performing those actions as root.System AdministratorIAAC-1
SV-38583r1_rule OSX00660 M6 MEDIUM Physical security of the system must meet DoD requirements. Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. Physical security of the Automated Information System (AIS) must meet DoD requirements. System AdministratorPECF-2
SV-37313r1_rule OSX00665 M6 MEDIUM Shared User Accounts must be disabled. Shared accounts do not provide individual accountability for system access and resource usage. Shared user accounts are not permitted on the system. System AdministratorIAGA-1
SV-38569r1_rule OSX00670 M6 MEDIUM The Operating System must be current and at the latest release level. Failure to install the most current Operating System (OS) updates leaves a system vulnerable to exploitation. Current OS updates and patches correct known security and system vulnerabilities. If an OS is not at a supported level this will be upgraded to a Category I finding.If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.System AdministratorVIVM-1
SV-37320r1_rule OSX00675 M6 LOW System Recovery Backup procedures must be configured to comply with DoD requirements. Recovery of a damaged or compromised system in a timely basis is difficult without a system information backup. A system backup will usually include sensitive information, such as user accounts that could be used in an attack. As a valuable system resource, the system backup should be protected and stored in a physically secure location.System AdministratorCODB-1
SV-37322r1_rule OSX00685 M6 MEDIUM An Emergency Administrator Account must be created. This check verifies an emergency administrator account has been created to ensure system availability in the event no administrators are able or available to access the system.System AdministratorECPA-1
SV-37325r1_rule OSX00690 M6 MEDIUM Default and Emergency Administrator passwords must be changed when necessary. This check verifies the passwords for the default and emergency administrator accounts are changed at least annually or when any member of the administrative team leaves the organization.System AdministratorECPA-1
SV-37329r1_rule OSX00695 M6 MEDIUM Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. Setting application accounts to expire may cause applications to stop functioning. The site will have a policy for application account passwords manually generated and entered by a system administrator to be changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords.System AdministratorECPA-1
SV-38572r1_rule OSX00700 M6 MEDIUM Automatic Screen Saver initiation must be enabled when smart card is removed from machine. When using a smart card for authentication the system must be configured to automatically lock the system when the smart card is removed.System AdministratorECSC-1
SV-38570r1_rule OSX00680 M6 MEDIUM Access to audit configuration files must be restricted. Audit configuration files are susceptible to unauthorized, and possibly anonymous, tampering if proper permissions are not applied. System AdministratorECTP-1
SV-37331r1_rule OSX00705 M6 MEDIUM Spotlight Panel must be securely configured. Spotlight can be used to search a computer for files. Spotlight searches the name, the meta-information associated with each file, and the contents of each file. Spotlight finds files regardless of their placement in the file system. This still must be properly set access permissions on folders containing confidential files.System AdministratorECCD-1
SV-38573r1_rule OSX00121 M6 HIGH Clear text passwords for all LDAPv3 directories must be disabled. Allowing passwords to be transmitted over the network in clear text could allow an attacker to monitor the network and capture the password packets. This clear text function must be disabled when accessing LDAPv3 directories.System AdministratorECCT-1, ECCT-2
SV-38575r1_rule OSX00122 M6 MEDIUM All LDAPv3 packets must be digitally signed. To protect the data between the client and LDAPv3 directory the traffic should be digitally signed.System AdministratorECCT-1, ECCT-2
SV-38577r1_rule OSX00123 M6 MEDIUM All LDAPv3 packets must be encrypted. All traffic between the client and the LDAPv3 should be encrypted to ensure confidentiality of data.System AdministratorECCT-1, ECCT-2
SV-38578r1_rule OSX00124 M6 MEDIUM LDAPv3 must block man-in-the-middle attacks. To prevent LDAPv3 man-in-the middle attacks the system must be properly configured.System AdministratorECCT-1, ECCT-2
SV-37333r1_rule OSX00341 M6 HIGH Automatic actions must be disabled for blank DVDs. To secure CDs and DVDs (blank), do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECCD-1
SV-38581r1_rule OSX00467 M6 MEDIUM Bonjour must be disabled. Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.System AdministratorECSC-1
SV-38603r1_rule OSX00036 M6 MEDIUM Complex passwords must contain Alphabetic Character. Configure the local system to verify newly created passwords conform to DoD password complexity policy. Passwords must contain 1 character from the following 4 classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Sites are responsible for installing password complexity software complying with the current DoD requirements.System AdministratorIAIA-1
SV-38607r1_rule OSX00038 M6 MEDIUM Complex passwords must contain a Symbolic Character. Configure the local system to verify newly created passwords conform to the DoD password complexity policy. Passwords must contain 1 character from the following 4 classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Sites are responsible for installing password complexity software that complies with current DoD requirements.System AdministratorIAIA-1