Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

MAC OSX 10.6 Workstation Security Technical Implementation Guide

V1R3 · · · Released 26 Apr 2013 · 218 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

MAC OSX 10.6 Workstation Security Technical Implementation Guide
Sort by
b
The root account must be the only account having a UID of “0”.
CM-6 - Medium - CCI-000366 - V-773 - SV-37848r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN000880 M6
Vuln IDs
  • V-773
Rule IDs
  • SV-37848r1_rule
If an account has a UID of “0”, it has root authority. Multiple accounts with a UID of “0” afford more opportunity for potential intruders to guess a password for a privileged account.System AdministratorECLP-1, IAIA-1, IAIA-2
Checks: C-37044r1_chk

Enter the following command to view users with a UID of "0": grep :0 /etc/passwd If any user other than root has a UID of "0", this is a finding.

Fix: F-32312r1_fix

Edit the /etc/passwd file and change the UID of the duplicate to an unused UID.

b
System files and directories must not have uneven access permissions.
AC-6 - Medium - CCI-000225 - V-784 - SV-37853r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001140 M6
Vuln IDs
  • V-784
Rule IDs
  • SV-37853r1_rule
Discretionary access control is undermined if users, other than a file owner, have greater access permissions to system files and directories than the owner.System AdministratorECCD-1, ECCD-2
Checks: C-37050r1_chk

Open a terminal session and use the following command to verify the system directories do not have uneven file permissions. ls -lL /etc /bin /usr/bin /sbin /usr/sbin If any directories listed contain uneven file permissions, this is a finding.

Fix: F-32315r1_fix

Use the "chmod" command to set the mode of files with uneven permissions so the owners do not have less permission than group or world users.

b
All files and directories must have a valid owner.
CM-6 - Medium - CCI-000366 - V-785 - SV-38181r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN001160 M6
Vuln IDs
  • V-785
Rule IDs
  • SV-38181r1_rule
Non-ownership files and directories may be unintentionally inherited if a user is assigned the same UID as the UID of the non-ownership files.System AdministratorECCD-1, ECCD-2
Checks: C-37567r1_chk

Open a terminal session and enter the following command. find / -nouser Review the results. If any files do not have a valid owner, this is a finding.

Fix: F-32810r1_fix

Determine the legitimate owner of the files and use the "chown" command to set the owner and group to the correct value. If the legitimate owner cannot be determined, examine the files to determine their origin and the reason for their lack of an owner/group.

b
All network services daemon files must have mode 0755 or less permissive.
AC-6 - Medium - CCI-000225 - V-786 - SV-37882r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001180 M6
Vuln IDs
  • V-786
Rule IDs
  • SV-37882r1_rule
Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.System AdministratorECLP-1
Checks: C-37568r1_chk

Open a terminal session and enter the following command to check the mode of network services daemons (all on one line). find /usr/sbin -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all files that are group or world-writable. If any network services daemon listed is world or group-writable (either or both of the 2 lowest order digits containing a 2, 3, 6, or 7), this is a finding.

Fix: F-32811r1_fix

Open a terminal session and use the following command to change the mode of the network services daemon. chmod 755 <path of network services daemon file>

b
System log files must have mode 644 or less permissive.
SI-11 - Medium - CCI-001314 - V-787 - SV-37890r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
GEN001260 M6
Vuln IDs
  • V-787
Rule IDs
  • SV-37890r1_rule
If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value.System AdministratorECTP-1
Checks: C-37569r1_chk

Open a terminal session and enter the following command to verify the permissions. ls -lLR /var/log /var/audit If any of the log files have modes more permissive than 644, this is a finding.

Fix: F-32812r1_fix

Open a terminal session and enter the following command to change the mode of the system log file(s). chmod 644 <path/to/system log file>

a
Manual page files must have mode 0644 or less permissive.
AC-6 - Low - CCI-000225 - V-792 - SV-37910r1_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000225
Version
GEN001280 M6
Vuln IDs
  • V-792
Rule IDs
  • SV-37910r1_rule
If manual pages are compromised, misleading information could be inserted causing actions to possibly compromise the system.System AdministratorECCD-1, ECCD-2
Checks: C-37570r1_chk

Open a terminal session and enter the following command to verify the permissions on the man files. ls -lLR /usr/share/man If the permissions are not set to 0644 or less permissive, this is a finding.

Fix: F-32813r1_fix

Open a terminal session and enter the following command to set the mode of the manual page files to 0644 or less permissive. chmod 0644 /usr/share/man

b
Library files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-793 - SV-37911r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001300 M6
Vuln IDs
  • V-793
Rule IDs
  • SV-37911r1_rule
Unauthorized access could destroy the integrity of the library files.System AdministratorDCSL-1
Checks: C-37571r1_chk

Open a terminal session and enter the following command to verify the permissions on library and framework files, all on one line. find /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib -type f -perm +022 -exec stat -f %Lp:%N {} \; If any of the library files have a mode more permissive than 0755, this is a finding.

Fix: F-32814r1_fix

Open a terminal session and enter the following command to change the mode of library files to 0755 or less permissive. chmod 0755 <path/to/library-file> NOTE: Library files should have an extension of ".a" or ".so", possibly followed by a version number. Frameworks are directories that may already contain files with more restrictive permissions than 755 and thus should not have their modes changed to 755 recursively.

b
All system command files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-794 - SV-37987r2_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001200 M6
Vuln IDs
  • V-794
Rule IDs
  • SV-37987r2_rule
Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths.Elevate to Severity Code I if any file listed is world-writable.System AdministratorECLP-1
Checks: C-37572r1_chk

Open a terminal session and enter the following command to verify command file permissions. find /bin /sbin /usr/bin /usr/sbin -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all group or world-writable files. If any file listed is world or group-writable (either or both of the two lowest order digits contain a "2", "3", "6", or "7"), this is a finding.

Fix: F-32815r3_fix

Open a terminal session and enter the following command to change the mode for system command files to remove group and world write permissions. # chmod go-w <path/filename>

b
All system files, programs, and directories must be owned by a system account.
CM-5 - Medium - CCI-001499 - V-795 - SV-37988r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001220 M6
Vuln IDs
  • V-795
Rule IDs
  • SV-37988r1_rule
Restricting permissions will protect the files from unauthorized modification.System AdministratorECLP-1
Checks: C-37573r1_chk

Open a terminal session and enter the following command to verify the ownership of system files, programs, and directories. Procedure: ls -lLa/bin /usr/bin /sbin /usr/sbin If any of the system files, programs, or directories are not owned by a system account, this is a finding.

Fix: F-32816r1_fix

Open a terminal session and enter the following command to change the owner of system files, programs, and directories to a system account. chown root <path/filename>

b
System files, programs, and directories must be group-owned by a system group.
CM-5 - Medium - CCI-001499 - V-796 - SV-37989r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001240 M6
Vuln IDs
  • V-796
Rule IDs
  • SV-37989r1_rule
Restricting permissions will protect the files from unauthorized modification.System AdministratorECLP-1
Checks: C-37574r1_chk

Open a terminal session and use the following command to verify group ownership of system files, programs, and directories. ls -lLa /usr/bin If any system file, program, or directory is not owned by a system group, this is a finding.

Fix: F-32817r1_fix

Open a terminal session and enter the following command to change the group ownership of system files, programs, and directories to a system group. chgrp wheel <path/filename>

b
The /etc/passwd file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-798 - SV-37990r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001380 M6
Vuln IDs
  • V-798
Rule IDs
  • SV-37990r1_rule
If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated information.System AdministratorECLP-1
Checks: C-37575r1_chk

Open a terminal session and enter the following command to verify the permissions on the password file. ls -Ll /etc/passwd If the permissions are not set to 644, this is a finding.

Fix: F-32818r1_fix

Open a terminal session and enter the following command to set the permissions for the password file. chmod 644 /etc/passwd

a
The sticky bit must be set on all public directories.
CM-6 - Low - CCI-000366 - V-806 - SV-37991r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
GEN002500 M6
Vuln IDs
  • V-806
Rule IDs
  • SV-37991r1_rule
Failing to set the sticky bit on the public directories allows unauthorized users to delete files in the directory structure. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access. System AdministratorECCD-1, ECCD-2
Checks: C-37576r1_chk

Enter the following command to search public directories. find / -type d -perm -002 -exec ls -ld {} \; Review the results. If any public directories do not have the sticky bit set, this is a finding.

Fix: F-32532r1_fix

Open a terminal session and enter the following command to set the sticky bit on all public directories. chmod 1777 <public directory missing the sticky bit>

b
All public directories must be owned by root or an application account.
AC-6 - Medium - CCI-000225 - V-807 - SV-37993r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN002520 M6
Vuln IDs
  • V-807
Rule IDs
  • SV-37993r1_rule
If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage (e.g., /tmp) and for directories requiring global read/write access. System AdministratorECLP-1
Checks: C-37577r1_chk

Open a terminal session and enter the following command to verify the ownership of all public directories. find / -type d -perm -1002 -exec ls -ld {} \; If any public directory is not owned by root or an application user, this is a finding.

Fix: F-32819r1_fix

Open a terminal session and enter the following command to change the owner of public directories to root or an application account. chown root /tmp (Replace root with an application user and/or "/tmp" with another public directory as necessary.)

b
System audit logs must be owned by root.
AU-9 - Medium - CCI-000162 - V-812 - SV-38619r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
GEN002680 M6
Vuln IDs
  • V-812
Rule IDs
  • SV-38619r1_rule
Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.System AdministratorECTP-1
Checks: C-37779r1_chk

Open a terminal session and use the following command to verify the owner of audit logs in the /var/audit directory. ls -lL /var/audit If any file in the /var/audit directory is not owned by root, this is a finding.

Fix: F-33026r1_fix

Open a terminal session and use the following command to change the owner of the file. chown root /var/audit/<filename>

b
System audit logs must have mode 640 or less permissive.
AU-9 - Medium - CCI-000163 - V-813 - SV-38622r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
GEN002700 M6
Vuln IDs
  • V-813
Rule IDs
  • SV-38622r1_rule
If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do not include activity, error, or other log files created by application software.System AdministratorECTP-1
Checks: C-37780r1_chk

Open a terminal session and use the following command to verify the permissions. ls -lL /var/audit If any audit log file has a mode more permissive than 640, this is a finding.

Fix: F-33027r1_fix

Open a terminal session and use the following command to set the permissions of the audit log file. chmod 640 /var/audit <filename>

b
The services file must be owned by root or bin.
AC-6 - Medium - CCI-000225 - V-823 - SV-37996r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003760 M6
Vuln IDs
  • V-823
Rule IDs
  • SV-37996r1_rule
Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Checks: C-37578r1_chk

Open a terminal session and enter the following command to verify ownership of the services file. ls -lL /etc/services If the services file is not owned by root or bin, this is a finding.

Fix: F-32820r1_fix

Open a terminal session and enter the following command to set the ownership of the services file. chown root /etc/services

b
The services file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-824 - SV-37997r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003780 M6
Vuln IDs
  • V-824
Rule IDs
  • SV-37997r1_rule
The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
Checks: C-37579r1_chk

Open a terminal session and enter the following command to verify the mode of the services file. ls -lL /etc/services If the services file has a mode more permissive than 0644, this is a finding.

Fix: F-32821r1_fix

Open a terminal session and enter the following command to set the mode of the services file. chmod 0644 /etc/services

b
All local initialization files must be owned by the user or root.
AC-6 - Medium - CCI-000225 - V-904 - SV-38010r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001860 M6
Vuln IDs
  • V-904
Rule IDs
  • SV-38010r1_rule
Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.System AdministratorECLP-1
Checks: C-37580r1_chk

Open a terminal session and enter the following commands to verify ownership of local initialization files. ls -al /&lt;usershomedirectory&gt;/.login ls -al /&lt;usershomedirectory&gt;/.cshrc ls -al /&lt;usershomedirectory&gt;/.logout ls -al /&lt;usershomedirectory&gt;/.profile ls -al /&lt;usershomedirectory&gt;/.bash_profile ls -al /&lt;usershomedirectory&gt;/.bashrc ls -al /&lt;usershomedirectory&gt;/.bash_logout ls -al /&lt;usershomedirectory&gt;/.env ls -al /&lt;usershomedirectory&gt;/.dtprofile ls -al /&lt;usershomedirectory&gt;/.dispatch ls -al /&lt;usershomedirectory&gt;/.emacs ls -al /&lt;usershomedirectory&gt;/.exrc find /&lt;usershomedirectory&gt;/.dt ! -fstype nfs ! -user &lt;username&gt; -exec ls -ld {} \; If local initialization files are not owned by the home directory's user or root, this is a finding.

Fix: F-32822r1_fix

Open a terminal session and enter the following command to change the ownership of the start-up and login files in the user’s directory to the user or root, as appropriate. Examine each user’s home directory and verify all filenames beginning with "." are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required. chown <username> </directory/filename>

b
All run control scripts must have mode 0755 or less permissive.
AC-6 - Medium - CCI-000225 - V-906 - SV-38013r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001580 M6
Vuln IDs
  • V-906
Rule IDs
  • SV-38013r1_rule
If the startup files are writable by other users, they could modify to insert malicious commands into the startup files.System AdministratorECLP-1
Checks: C-37706r1_chk

Open a terminal session and enter the following command to check the mode of launchctl plist files (all on one line). find /System/Library/LaunchDaemons /System/Library/LaunchAgents /Library/LaunchAgents /Library/LaunchDaemons -type f -perm +022 -exec stat -f %Lp:%N {} \; This will return the octal permissions and name of all files that are group or world writeable. If any launchctl plist file listed is world or group writeable (either or both of the 2 lowest order digits containing a 2, 3, 6, or 7), this is a finding.

Fix: F-32944r1_fix

Open a terminal session and enter the following command to set the mode of the run control script file. chmod 755 <startup file>

b
There must be no .netrc files on the system.
IA-5 - Medium - CCI-000196 - V-913 - SV-38002r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
GEN002000 M6
Vuln IDs
  • V-913
Rule IDs
  • SV-38002r1_rule
Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts.System AdministratorECCD-1, ECCD-2, IAIA-1, IAIA-2
Checks: C-37581r1_chk

Open a terminal session and enter the following command to check the system for the existence of any .netrc files. find / -name .netrc If any .netrc file exists, this is a finding.

Fix: F-32823r1_fix

To remove the .netrc file(s) enter the following command. rm .netrc

a
All files and directories contained in interactive user home directories must be owned by the home directory's owner.
AC-6 - Low - CCI-000225 - V-914 - SV-38182r1_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000225
Version
GEN001540 M6
Vuln IDs
  • V-914
Rule IDs
  • SV-38182r1_rule
If users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.trueInformation Assurance OfficerSystem AdministratorECCD-1, ECCD-2
Checks: C-37582r1_chk

NOTE: For each user, check for the presence of files and directories within the user's home directory not owned by the home directory owner. Open a terminal session and enter the following command. find /&lt;usershomedirectory&gt; -not -user &lt;username&gt; -exec ls -ld {} \; If the user's home directories contain files or directories not owned by the home directory owner, this is a finding.

Fix: F-32824r1_fix

Open a terminal session and enter the following command to change the ownership of files and directories in user home directories to the owner of the home directory. chown <account-owner> <filename>

b
All shell files must be owned by root.
AC-6 - Medium - CCI-000225 - V-921 - SV-38014r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN002200 M6
Vuln IDs
  • V-921
Rule IDs
  • SV-38014r1_rule
If shell files are owned by users other than root or bin, they could be modified by intruders or malicious users to perform unauthorized actions.System AdministratorECLP-1
Checks: C-37583r1_chk

Open a terminal session and enter the following command to verify the ownership of the system shell files. cat /etc/shells | xargs -n1 ls -lL If any shell file is not owned by root, this is a finding.

Fix: F-32825r1_fix

Open a terminal session and enter the following command to change the ownership of the shell file with incorrect ownership. chown root <shell>

c
All shell files must have mode 0755 or less permissive.
AC-6 - High - CCI-000225 - V-922 - SV-38015r1_rule
RMF Control
AC-6
Severity
H
CCI
CCI-000225
Version
GEN002220 M6
Vuln IDs
  • V-922
Rule IDs
  • SV-38015r1_rule
Shells with world/group write permissions give the ability to maliciously modify the shell to obtain unauthorized access.System AdministratorECLP-1
Checks: C-37584r1_chk

Open a terminal session and enter the following command. cat /etc/shells | xargs -n1 ls -lL If any shell has a mode more permissive than 0755, this is a finding.

Fix: F-32826r1_fix

Open a terminal session and enter the following command to set the mode. chmod 0755 <shell file>

b
Device files and directories must only be writable by users with a system account or as configured by the vendor.
AC-6 - Medium - CCI-000225 - V-924 - SV-38017r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN002280 M6
Vuln IDs
  • V-924
Rule IDs
  • SV-38017r1_rule
System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware.System AdministratorECCD-1, ECCD-2, ECLP-1
Checks: C-37585r1_chk

Open a terminal session and enter the following command to verify permissions. find / -perm -2 -a \( -type b -o -type c \) &gt; devicelist Check the permissions on the directories above subdirectories in the devicelist file. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable (such as /dev/null), this is a finding.

Fix: F-32827r1_fix

Open a terminal session and enter the following command to set the mode of the device file. chmod 755 <device file>

b
The nosuid option must be enabled on all NFS client mounts.
AC-6 - Medium - CCI-000225 - V-936 - SV-38158r2_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN005900 M6
Vuln IDs
  • V-936
Rule IDs
  • SV-38158r2_rule
Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.Information Assurance ManagerInformation Assurance OfficerSystem AdministratorECPA-1
Checks: C-37586r1_chk

Open a terminal session and enter the following command to check the system for NFS mounts not using the "nosuid" option. mount -t nfs | egrep -v "nosuid" If anything is returned, the mounted file systems do not have the "nosuid" option and this is a finding.

Fix: F-32828r2_fix

Open a terminal session and edit /etc/auto_master and add the "nosuid" option at the end of the line that begins with /net. In the same terminal session, edit /etc/fstab and add the "nosuid" option to any lines for NFS mounts. Remount the NFS file systems to make the change take effect.

b
The /etc/smb.conf file must be owned by root.
AC-6 - Medium - CCI-000225 - V-1027 - SV-38183r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN006100 M6
Vuln IDs
  • V-1027
Rule IDs
  • SV-38183r1_rule
The /etc/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
Checks: C-37587r1_chk

Open a terminal session and enter the following command to verify the ownership of the file. ls -lL /etc/smb.conf If an smb.conf file is not owned by root, this is a finding.

Fix: F-32829r1_fix

Open a terminal session and enter the following command to set the owner of the smb.conf file to root. chown root /etc/smb.conf

b
The /etc/smb.conf file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-1028 - SV-38184r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN006140 M6
Vuln IDs
  • V-1028
Rule IDs
  • SV-38184r1_rule
If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised.System AdministratorECLP-1
Checks: C-37588r1_chk

Open a terminal session and enter the following command to verify the permissions of the /etc/smb.conf file. ls -lL /etc/smb.conf If the value is not set to 0644, this is a finding.

Fix: F-32830r1_fix

Open a terminal session and enter the following command to set the mode of the smb.conf file. chmod 644 /etc/smb.conf

b
The system must prohibit the reuse of passwords to 15 iterations.
IA-5 - Medium - CCI-000200 - V-4084 - SV-38632r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000200
Version
GEN000800 M6
Vuln IDs
  • V-4084
Rule IDs
  • SV-38632r1_rule
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at the user's password until it was guessed correctly.System AdministratorIAIA-1, IAIA-2
Checks: C-37781r1_chk

Open a terminal session and use the following command to view the setting for password history. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep usingHistory If the value of usingHistory is less than 15, this is a finding. NOTE: If the command returns a response of password server is not configured, the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep usingHistory

Fix: F-33031r1_fix

Open a terminal session and use the following command to set the value for usingHistory. sudo pwpolicy -n -setglobalpolicy "usingHistory=15" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=15"

b
All system start-up files must be owned by root.
AC-6 - Medium - CCI-000225 - V-4089 - SV-37845r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001660 M6
Vuln IDs
  • V-4089
Rule IDs
  • SV-37845r1_rule
System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network compromise.System AdministratorECLP-1
Checks: C-37043r1_chk

Open a terminal session and enter the following command to verify the ownership is set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect ownership, this is a finding.

Fix: F-32311r1_fix

Open a terminal session and enter the following command to reset the ownership to the original installation settings. diskutil repairPermissions /

b
All system start-up files must be group-owned by root, sys, bin, other, or system.
AC-6 - Medium - CCI-000225 - V-4090 - SV-38018r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001680 M6
Vuln IDs
  • V-4090
Rule IDs
  • SV-38018r1_rule
If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders.System AdministratorECLP-1
Checks: C-37369r1_chk

Open a terminal session and enter the following command to verify the ownership is set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect ownership, this is a finding.

Fix: F-32606r1_fix

Open a terminal session and enter the following command to reset the file ownership to their original settings. diskutil repairPermissions /

b
The "at" directory must have mode 0755 or less permissive.
AC-6 - Medium - CCI-000225 - V-4364 - SV-38019r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003400 M6
Vuln IDs
  • V-4364
Rule IDs
  • SV-38019r1_rule
If the "at" directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the "at" directory. Unauthorized modifications could result in Denial of Service to authorized "at" jobs.System AdministratorECLP-1
Checks: C-37590r1_chk

Open a terminal session and enter the following command to verify the mode of the "at" directory. ls -ld /var/at If the directory mode is more permissive than 0755, this is a finding.

Fix: F-32832r1_fix

Open a terminal session and enter the following command to set the mode of the "at" directory to 755. chmod 755 /var/at

b
The "at" directory must be owned by root, bin, or sys.
AC-6 - Medium - CCI-000225 - V-4365 - SV-38021r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003420 M6
Vuln IDs
  • V-4365
Rule IDs
  • SV-38021r1_rule
If the owner of the "at" directory is not root, bin, or sys, unauthorized users could be allowed to view or edit files containing sensitive information within the directory.System AdministratorECLP-1
Checks: C-37591r1_chk

Open a terminal session and enter the following command to verify the owner of the "at" directory. ls -ld /var/at If the directory is not owned by root, bin, sys, or system, this is a finding.

Fix: F-32833r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /var/at

b
"At" jobs must not set the umask to a value less restrictive than 077.
AC-6 - Medium - CCI-000225 - V-4366 - SV-38022r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003440 M6
Vuln IDs
  • V-4366
Rule IDs
  • SV-38022r1_rule
The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit number, the first digit representing special access modes is typically ignored or required to be “0”.trueSystem AdministratorInformation Assurance OfficerECCD-1, ECCD-2
Checks: C-37592r1_chk

Open a terminal session and enter the following command to determine what "at" jobs exist on the system. ls /var/at/spool If no "at" jobs are present, this is not applicable. To determine if any of the "at" jobs or any scripts referenced execute the "umask" command check for any umask setting more permissive than 077. grep umask /var/at/spool&lt;at job or referenced script&gt; If any "at" job or referenced script sets umask to a value more permissive than 077, this is a finding.

Fix: F-32834r1_fix

Open a terminal session and edit "at" jobs or referenced scripts to remove "umask" commands setting umask to a value less restrictive than 077.

b
The at.deny file must be owned by root, bin, or sys.
AC-6 - Medium - CCI-000225 - V-4368 - SV-38024r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003480 M6
Vuln IDs
  • V-4368
Rule IDs
  • SV-38024r1_rule
If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file.System AdministratorECLP-1
Checks: C-37594r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /var/at/at.deny If the at.deny file is not owned by root, sys, or bin, this is a finding.

Fix: F-32836r1_fix

Open a terminal session and enter the following command to set the owner of the at.deny file. chown root /var/at/at.deny

b
The traceroute command owner must be root.
AC-6 - Medium - CCI-000225 - V-4369 - SV-38026r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003960 M6
Vuln IDs
  • V-4369
Rule IDs
  • SV-38026r1_rule
If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
Checks: C-37595r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /usr/sbin/traceroute If the traceroute command is not owned by root, this is a finding.

Fix: F-32837r1_fix

Open a terminal session and enter the following command to set the owner of the traceroute command. chown root /usr/sbin/traceroute

b
The traceroute command must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-4370 - SV-38027r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003980 M6
Vuln IDs
  • V-4370
Rule IDs
  • SV-38027r1_rule
If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology inside of the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
Checks: C-37596r1_chk

Open a terminal session and enter the following command to verify the group ownership of the traceroute command. ls -lL /usr/sbin/traceroute If the traceroute command is not group owned by wheel, this is a finding.

Fix: F-32838r1_fix

Open a terminal session and enter the following command to set the group ownership of the traceroute command. chgrp wheel /usr/sbin/traceroute

b
The traceroute file must have mode 0700 or less permissive.
AC-6 - Medium - CCI-000225 - V-4371 - SV-38028r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN004000 M6
Vuln IDs
  • V-4371
Rule IDs
  • SV-38028r1_rule
If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
Checks: C-37597r1_chk

Open a terminal session and enter the following command to verify the permissions on the traceroute command. ls -lL /usr/sbin/traceroute If the traceroute command has a mode more permissive than 0700, this is a finding.

Fix: F-32839r1_fix

Open a terminal session and enter the following command to set the mode of the traceroute command. chmod 700 /usr/sbin/traceroute

b
The system must not use .forward files.
CM-6 - Medium - CCI-000366 - V-4385 - SV-38005r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN004580 M6
Vuln IDs
  • V-4385
Rule IDs
  • SV-38005r1_rule
The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which could degrade system performance.System AdministratorECSC-1
Checks: C-37598r1_chk

Open a terminal session and enter the following command to search for any .forward files on the system. find / -name .forward -print If any .forward files are found on the system, this is a finding.

Fix: F-32840r1_fix

Open a terminal session and enter the following command to remove .forward files from the system. rm <path of .forward files>

b
The /etc/syslog.conf file must be owned by root.
AC-6 - Medium - CCI-000225 - V-4393 - SV-38030r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN005400 M6
Vuln IDs
  • V-4393
Rule IDs
  • SV-38030r1_rule
If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
Checks: C-37599r1_chk

Open a terminal session and enter the following command to verify the owner. ls -lL /etc/syslog.conf If the syslog.conf file is not owned by root, this is a finding.

Fix: F-32841r1_fix

Open a terminal session and use the following command to set the owner of the syslog.conf file. chown root /etc/syslog.conf

b
The /etc/syslog.conf file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-4394 - SV-38051r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN005420 M6
Vuln IDs
  • V-4394
Rule IDs
  • SV-38051r1_rule
If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.System AdministratorECLP-1
Checks: C-37600r1_chk

Open a terminal session and enter the following command to verify the group ownership of the syslog.conf file. ls -lL /etc/syslog.conf If the syslog.conf file is not group owned by wheel, this is a finding.

Fix: F-32842r1_fix

Open a terminal session and enter the following command to set the group ownership of the syslog.conf file. chgrp wheel /etc/syslog.conf

c
The rsh daemon must not be running.
AC-17 - High - CCI-000068 - V-4687 - SV-38052r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
GEN003820 M6
Vuln IDs
  • V-4687
Rule IDs
  • SV-38052r1_rule
The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.Information Assurance OfficerSystem AdministratorEBRU-1
Checks: C-37673r1_chk

Open a terminal session and use the following command to view the rshd status. defaults read /var/db/launchd.db/com.apple.launchd/overrides com.apple.rshd If the command does not return a value of 1, this is a finding.

Fix: F-32914r1_fix

Open a terminal session and use the following command to disable rshd. launchctl unload -w /System/Library/LaunchDaemons/shell.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

c
The rexec daemon must not be running.
AC-17 - High - CCI-001435 - V-4688 - SV-38054r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-001435
Version
GEN003840 M6
Vuln IDs
  • V-4688
Rule IDs
  • SV-38054r1_rule
The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service.trueInformation Assurance OfficerSystem AdministratorEBRP-1, ECSC-1
Checks: C-37674r1_chk

Open a terminal session and use the following command to view the rexec status. defaults read /var/db/launchd.db/com.apple.launchd/overrides com.apple.rexecd If the command does not return a value of 1, this is a finding.

Fix: F-32915r1_fix

Open a terminal session and use the following command to set the rexec status. launchctl unload -w /System/Library/LaunchDaemons/exec.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

b
The system must not have the UUCP service active.
AC-17 - Medium - CCI-001436 - V-4696 - SV-38055r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001436
Version
GEN005280 M6
Vuln IDs
  • V-4696
Rule IDs
  • SV-38055r1_rule
The UUCP utility is designed to assist in transferring files, executing remote commands, and sending email between UNIX systems over phone lines and direct connections between systems. The UUCP utility is a primitive and arcane system with many security issues. There are alternate data transfer utilities/products that can be configured to more securely transfer data by providing for authentication, as well as encryption.System AdministratorECSC-1
Checks: C-37601r1_chk

Open a terminal session and enter the following command to verify uucp is disabled. defaults read /System/Library/LaunchDaemons/com.apple.uucp Disabled If a 1 is not returned, this is a finding.

Fix: F-32843r1_fix

Open a terminal session and use the following command to disable uucp. launchctl unload -w /System/Library/LaunchDaemons/com.apple.uucp.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

a
The system must not have the finger service active.
AC-4 - Low - CCI-001551 - V-4701 - SV-38057r2_rule
RMF Control
AC-4
Severity
L
CCI
CCI-001551
Version
GEN003860 M6
Vuln IDs
  • V-4701
Rule IDs
  • SV-38057r2_rule
The finger service provides information about the system's users to network clients. This information could expose information to be used in subsequent attacks.System AdministratorDCPP-1, EBRU-1
Checks: C-37602r2_chk

Open a terminal session and enter the following command to verify finger is disabled. defaults read /var/db/launchd.db/com.apple.launchd/overrides com.apple.fingerd If a value of 1 is not returned, this is a finding.

Fix: F-32844r1_fix

Open a terminal session and use the following command to disable finger. launchctl unload -w /System/Library/LaunchDaemons/finger.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

b
All global initialization files must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-11981 - SV-38058r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001720 M6
Vuln IDs
  • V-11981
Rule IDs
  • SV-38058r1_rule
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon.System AdministratorECLP-1
Checks: C-37603r1_chk

Open a terminal session and enter the following commands to verify the permissions on the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization files are more permissive than 0644, this is a finding.

Fix: F-32845r1_fix

Open a terminal session and enter the following command to set the mode on the global initialization files. chmod 644 /etc/<filename>

b
All global initialization files must be owned by root.
AC-6 - Medium - CCI-000225 - V-11982 - SV-38060r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001740 M6
Vuln IDs
  • V-11982
Rule IDs
  • SV-38060r1_rule
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Checks: C-37604r1_chk

Open a terminal session and enter the following commands to verify the owner of the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization file is not owned by root, this is a finding.

Fix: F-32846r1_fix

Open a terminal session and enter the following command to set the owner of the global initialization files. chown root /etc/<filename>

b
All global initialization files must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-11983 - SV-38061r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001760 M6
Vuln IDs
  • V-11983
Rule IDs
  • SV-38061r1_rule
Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of sensitive files or utilities to the group wheel provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Checks: C-37605r1_chk

Open a terminal session and enter the following commands to verify the group ownership on the global initialization files. ls -l /etc/bashrc ls -l /etc/csh.cshrc ls -l /etc/csh.login ls -l /etc/csh.logout ls -l /etc/profile If any global initialization file is not group owned by wheel, this is a finding.

Fix: F-32847r1_fix

Open a terminal session and use the following command to set the group ownership of the global initialization files. chgrp wheel /etc/<filename>

b
IP forwarding for IPv4 must not be enabled, unless the system is a router.
CM-6 - Medium - CCI-000366 - V-12023 - SV-38186r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN005600 M6
Vuln IDs
  • V-12023
Rule IDs
  • SV-38186r1_rule
If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.System AdministratorECSC-1
Checks: C-37606r1_chk

Open a terminal session and enter the following command. sysctl -a | grep net.inet.ip.fw.enable If the value of "net.inet.ip.fw.enable" is not set to "0", this is a finding.

Fix: F-32848r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.fw.enable=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must not have a public Instant Messaging (IM) client installed.
CM-6 - Medium - CCI-000366 - V-12024 - SV-38067r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN006000 M6
Vuln IDs
  • V-12024
Rule IDs
  • SV-38067r1_rule
Public IM systems are not approved for use and may result in the unauthorized distribution of information. IM clients provide a way for a user to send a message to one or more users in real time. Additional capabilities may include file transfer and support for distributed game playing. Communication between clients and associated directory services are managed through messaging servers. Commercial IM clients include AOL Instant Messenger (AIM), MSN Messenger, and Yahoo! Messenger. IM clients present a security issue when the clients route messages through public servers. The obvious implication is for potentially sensitive information to be intercepted or altered in the course of transmission. This same issue is associated with the use of public email servers. In order to reduce the potential for disclosure of sensitive Government information and to ensure the validity of official Government information, IM clients connecting to public IM services will not be installed. Clients used to access internal or DoD-controlled IM services are permitted. System AdministratorECIM-1
Checks: C-37607r1_chk

If an IM client is installed, ask the SA if it has access to any public domain IM servers. If it does have access to public servers, this is a finding.

Fix: F-32849r1_fix

Uninstall the IM client from the system, or configure the client to only connect to DoD-approved IM services.

b
The system must not have any peer-to-peer file-sharing application installed.
AC-17 - Medium - CCI-001436 - V-12025 - SV-38068r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001436
Version
GEN006040 M6
Vuln IDs
  • V-12025
Rule IDs
  • SV-38068r1_rule
Peer-to-peer file-sharing software can result in the unintentional exfiltration of information. There are also many legal issues associated with these types of utilities including copyright infringement or other intellectual property issues. The ASD Memo "Use of Peer-to-Peer (P2P) File-Sharing Applications across the DoD" states the following: “P2P file-sharing applications are authorized for use on DOD networks with approval by the appropriate Designated Approval Authority (DAA). Documented requirements, security architecture, configuration management process, and a training program for users are all requirements within the approval process. The unauthorized use of application or services, including P2P applications, is prohibited, and such applications or services must be eliminated.” Peer-to-peer applications include, but are not limited to: -Napster, -Kazaa, -ARES, -Limewire, -IRC Chat Relay, and -BitTorrent.System AdministratorDesignated Approving AuthorityDCPD-1, ECSC-1
Checks: C-37608r1_chk

Ask the SA if any peer-to-peer file-sharing applications are installed. Some examples of these applications include. - Napster, - Kazaa, - ARES, - Limewire, - IRC Chat Relay, and - BitTorrent. If any of these applications are installed, this is a finding.

Fix: F-32850r1_fix

Uninstall the peer-to-peer file sharing application(s) from the system.

b
All files and directories must have a valid group owner.
CM-6 - Medium - CCI-000366 - V-22312 - SV-38187r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN001170 M6
Vuln IDs
  • V-22312
Rule IDs
  • SV-38187r1_rule
Files without a valid group owner may be unintentionally inherited if a group is assigned the same GID as the GID of the files without a valid group owner.System AdministratorECSC-1
Checks: C-37609r1_chk

Open a terminal session and enter the following command to search the system for files without a valid group owner. find / -nogroup -print If any files are found, this is a finding.

Fix: F-32851r1_fix

Use the following command to change the group owner for each file without a valid group owner. chgrp <a-valid-group> <path>/<file-without-a-valid-group-owner>

b
All network services daemon files must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22313 - SV-38070r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001190 M6
Vuln IDs
  • V-22313
Rule IDs
  • SV-38070r1_rule
Restricting permission on daemons will protect them from unauthorized modification and possible system compromise.System AdministratorECLP-1
Checks: C-37610r1_chk

Open a terminal session and enter the following command to view the network services daemon ACLs. ls -la /usr/sbin If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32852r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /usr/sbin/ <file with extended ACL>

b
System command files must not have extended ACLs.
CM-5 - Medium - CCI-001499 - V-22314 - SV-38072r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001210 M6
Vuln IDs
  • V-22314
Rule IDs
  • SV-38072r1_rule
Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default system executables and files present in directories included in the system's default executable search paths. System AdministratorECLP-1
Checks: C-37611r1_chk

Open a terminal session and enter the following command to view extended ACLs. find /bin /sbin /usr/bin /usr/sbin -print -exec ls -lLd \{\} \; | egrep '^..........+' If any command files are shown with permissions that include a '+', the file has an extended ACL, this is a finding.

Fix: F-32853r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <path/file with extended ACL>

b
System log files must not have extended ACLs, except as needed to support authorized software.
SI-11 - Medium - CCI-001314 - V-22315 - SV-38073r1_rule
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
GEN001270 M6
Vuln IDs
  • V-22315
Rule IDs
  • SV-38073r1_rule
If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value. Authorized software may be given log file access through the use of extended ACLs when needed and configured to provide the least privileges required.trueSystem AdministratorECLP-1, ECTP-1
Checks: C-37612r1_chk

Open a terminal session and enter the following command to view the system log files ACLs. ls -lLR /var/log If the permissions include a '+', the file has an extended ACL. If an extended ACL exists, verify with the SA if the ACL is required to support authorized software and provides the minimum necessary permissions. If an extended ACL exists, providing access beyond the needs of authorized software, this is a finding.

Fix: F-32854r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /var/log<file with extended ACL>

a
All manual page files must not have extended ACLs.
AC-6 - Low - CCI-000225 - V-22316 - SV-38074r1_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000225
Version
GEN001290 M6
Vuln IDs
  • V-22316
Rule IDs
  • SV-38074r1_rule
If manual pages are compromised, misleading information could be inserted causing actions to possibly compromise the system.System AdministratorECLP-1
Checks: C-37613r1_chk

Open a terminal session and enter the following command to verify the man page ACLs. ls -lLR /usr/share/man If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32946r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -RN /usr/share/man

b
All library files must not have extended ACLs.
CM-5 - Medium - CCI-001499 - V-22317 - SV-38075r1_rule
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
GEN001310 M6
Vuln IDs
  • V-22317
Rule IDs
  • SV-38075r1_rule
Unauthorized access could destroy the integrity of the library files.System AdministratorECLP-1
Checks: C-37614r1_chk

Open a terminal session and enter the following command to view the library file ACLs. ls -lLR /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32856r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -RN /System/Library/Frameworks /Library/Frameworks /usr/lib /usr/local/lib

b
The /etc/resolv.conf file must be owned by root.
AC-6 - Medium - CCI-000225 - V-22319 - SV-38077r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001362 M6
Vuln IDs
  • V-22319
Rule IDs
  • SV-38077r1_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging. System AdministratorECLP-1
Checks: C-37616r1_chk

Open a terminal session and enter the following command to verify the owner of the resolv.conf file. ls -lL /etc/resolv.conf If the resolv.conf file is not owned by root, this is a finding.

Fix: F-32858r1_fix

Open a terminal session and enter the following command to set the owner of the resolv.conf file. chown root /etc/resolv.conf

b
The /etc/resolv.conf file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22320 - SV-38078r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001363 M6
Vuln IDs
  • V-22320
Rule IDs
  • SV-38078r1_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37617r1_chk

Open a terminal session and enter the following command to verify the group ownership of the resolv.conf file. ls -lL /etc/resolv.conf If the resolv.conf file is not group owned by wheel, this is a finding.

Fix: F-32859r1_fix

Open a terminal session and enter the following command to set the group ownership of the resolv.conf file. chgrp wheel /etc/resolv.conf

b
The /etc/resolv.conf file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-22321 - SV-38079r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001364 M6
Vuln IDs
  • V-22321
Rule IDs
  • SV-38079r1_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37451r1_chk

Open a terminal session and enter the following command to verify the permissions on the file. ls -Ll /etc/resolv.conf If the permissions are not set to 644, this is a finding.

Fix: F-32697r1_fix

Open a terminal session and enter the following command to set permissions on the file. chmod 644 /etc/resolv.conf

b
The /etc/resolv.conf file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22322 - SV-38081r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001365 M6
Vuln IDs
  • V-22322
Rule IDs
  • SV-38081r1_rule
The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may fail or return incorrect information. DNS may be used by a variety of system security functions, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37618r1_chk

Open a terminal session and enter the following command to view the resolv.conf file extended ACLs. ls -lL /etc/resolv.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32860r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/resolv.conf

b
The /etc/hosts file must be owned by root.
AC-6 - Medium - CCI-000225 - V-22323 - SV-38082r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001366 M6
Vuln IDs
  • V-22323
Rule IDs
  • SV-38082r1_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37619r1_chk

Open a terminal session and enter the following command to verify the owner of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file is not owned by root, this is a finding.

Fix: F-32861r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/hosts

b
The /etc/hosts file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22324 - SV-38083r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001367 M6
Vuln IDs
  • V-22324
Rule IDs
  • SV-38083r1_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37620r1_chk

Open a terminal session and enter the following command to verify the group ownership of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file is not group owned by wheel, this is a finding.

Fix: F-32862r1_fix

Open a terminal session and enter the following command to set the group to root. chgrp wheel /etc/hosts

b
The /etc/hosts file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-22325 - SV-38085r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001368 M6
Vuln IDs
  • V-22325
Rule IDs
  • SV-38085r1_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37621r1_chk

Open a terminal session and enter the following command to verify the permissions of the etc/hosts file. ls -lL /etc/hosts If the /etc/hosts file permissions are not set to 644, this is a finding.

Fix: F-32863r1_fix

Open a terminal session and use the following command to set the mode of the etc/hosts file. chmod 644 /etc/hosts

b
The /etc/hosts file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22326 - SV-38086r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001369 M6
Vuln IDs
  • V-22326
Rule IDs
  • SV-38086r1_rule
The /etc/hosts file (or equivalent) configures local host name to IP address mappings typically taking precedence over DNS resolution. If this file is maliciously modified, it could cause the failure or compromise of security functions requiring name resolution, such as time synchronization, centralized authentication, and remote system logging.System AdministratorECLP-1
Checks: C-37622r1_chk

Open a terminal session and enter the following command to view the /etc/hosts file extended ACLs. ls -lL /etc/hosts If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32864r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/hosts

a
For systems using DNS resolution, at least two name servers must be configured.
SC-22 - Low - CCI-001182 - V-22331 - SV-38766r1_rule
RMF Control
SC-22
Severity
L
CCI
CCI-001182
Version
GEN001375 M6
Vuln IDs
  • V-22331
Rule IDs
  • SV-38766r1_rule
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.System AdministratorECSC-1
Checks: C-37828r1_chk

Open a terminal session and use the following command to verify the DNS name servers. grep nameserver /etc/resolv.conf If less than two lines are returned that are not commented out, this is a finding.

Fix: F-33086r1_fix

Open a terminal session and use the following command to edit the /etc/resolv.conf and add additional "nameserver" lines until at least two are present. sudo pico /etc/resolv.conf

b
The /etc/passwd file must be owned by root.
AC-6 - Medium - CCI-000225 - V-22332 - SV-38087r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001378 M6
Vuln IDs
  • V-22332
Rule IDs
  • SV-38087r1_rule
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37624r1_chk

Open a terminal session and enter the following command to verify the owner of the etc/passwd file. ls -lL /etc/passwd If the /etc/passwd file is not owned by root, this is a finding.

Fix: F-32866r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/passwd

b
The /etc/passwd file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22333 - SV-38088r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001379 M6
Vuln IDs
  • V-22333
Rule IDs
  • SV-38088r1_rule
The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37625r1_chk

Open a terminal session and enter the following command to verify the group ownership of the etc/passwd file. ls -lL /etc/passwd If the /etc/passwd file is not group owned by wheel, this is a finding.

Fix: F-32867r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel /etc/passwd

b
The /etc/passwd file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22334 - SV-38089r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001390 M6
Vuln IDs
  • V-22334
Rule IDs
  • SV-38089r1_rule
File system ACLs can provide access to files beyond what is allowed by the mode numbers of the files. The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37626r1_chk

Open a terminal session and enter the following command to view the /etc/passwd file extended ACLs. ls -lL /etc/passwd If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32868r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/passwd

b
The /etc/group file must be owned by root.
AC-6 - Medium - CCI-000225 - V-22335 - SV-38090r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001391 M6
Vuln IDs
  • V-22335
Rule IDs
  • SV-38090r1_rule
The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Checks: C-37628r1_chk

Open a terminal session and enter the following command to verify the owner of the /etc/group file. ls -lL /etc/group If the /etc/group file is not owned by root, this is a finding.

Fix: F-32870r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/group

b
The /etc/group file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22336 - SV-38091r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001392 M6
Vuln IDs
  • V-22336
Rule IDs
  • SV-38091r1_rule
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Checks: C-37629r1_chk

Open a terminal session and enter the following command to verify the group ownership of the /etc/group file. ls -lL /etc/group If the /etc/group file is not group owned by wheel, this is a finding.

Fix: F-32871r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel /etc/group

b
The /etc/group file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-22337 - SV-38092r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001393 M6
Vuln IDs
  • V-22337
Rule IDs
  • SV-38092r1_rule
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Checks: C-37631r1_chk

Open a terminal session and enter the following command to verify the permissions of the /etc/group file. ls -lL /etc/group If the /etc/group file permissions are not set to 644, this is a finding.

Fix: F-32872r1_fix

Open a terminal session and enter the following command to set the mode of the /etc/group file. chmod 644 /etc/group

b
The /etc/group file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22338 - SV-38093r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001394 M6
Vuln IDs
  • V-22338
Rule IDs
  • SV-38093r1_rule
The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information.System AdministratorECLP-1
Checks: C-37632r1_chk

Open a terminal session and enter the following command to view the /etc/group file extended ACLs. ls -lL /etc/group If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32873r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/group

a
User home directories must not have extended ACLs.
AC-6 - Low - CCI-000225 - V-22350 - SV-38094r1_rule
RMF Control
AC-6
Severity
L
CCI
CCI-000225
Version
GEN001490 M6
Vuln IDs
  • V-22350
Rule IDs
  • SV-38094r1_rule
Excessive permissions on home directories allow unauthorized access to user files.System AdministratorECLP-1
Checks: C-37681r1_chk

Open a terminal session and enter the following command. ls -lLd &lt;top level user home directory&gt; If the permissions include a '+', the directory has an extended ACL, this is a finding.

Fix: F-32921r1_fix

Open a terminal session and enter the following command to set the permissions. chmod -N <user home directory with extended ACL>

b
All files and directories contained in user home directories must be group-owned by a group where the home directory's owner is a member.
AC-6 - Medium - CCI-000225 - V-22351 - SV-38215r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001550 M6
Vuln IDs
  • V-22351
Rule IDs
  • SV-38215r1_rule
If a user's files are group-owned by a group where the user is not a member, unintended users may be able to access them.System AdministratorECLP-1
Checks: C-37683r1_chk

Open a terminal session and enter the following commands to view the group ownership of the user’s directories and files. ls -l /Users (shows users directory) ls -lL /Users/ &lt;each user directory&gt; If any directory or file is not group owned by the user or a know users group, this is a finding.

Fix: F-32922r1_fix

chgrp <group with user as member> <file with bad group ownership>

b
All files and directories contained in user home directories must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22352 - SV-38095r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001570 M6
Vuln IDs
  • V-22352
Rule IDs
  • SV-38095r1_rule
Excessive permissions allow unauthorized access to user files.System AdministratorECLP-1
Checks: C-37634r1_chk

Open a terminal session and enter the following command. find /Users -print -exec ls -lLd \{\} \; | grep '^..........+' If files are shown with permissions that include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32875r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <user file with extended ACL>

b
Launch control scripts must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22353 - SV-38096r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN001590 M6
Vuln IDs
  • V-22353
Rule IDs
  • SV-38096r1_rule
If the launch control scripts are writable by other users, they could modify to insert malicious commands into the startup files.System AdministratorECLP-1
Checks: C-37635r1_chk

Open a terminal session and enter the following command to verify the launch control scripts have no extended ACLs. ls -lL /System/Library/LaunchDaemons /System/Library/LaunchAgents /Library/LaunchDaemons /Library/LaunchAgents If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32876r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <launch control script with extended ACL>

b
All shell files must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22366 - SV-38098r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN002230 M6
Vuln IDs
  • V-22366
Rule IDs
  • SV-38098r1_rule
Shells with world/group-write permissions give the ability to maliciously modify the shell to obtain unauthorized access.System AdministratorECLP-1
Checks: C-37636r1_chk

Open a terminal session and enter the following command to view extended ACLs. cat /etc/shells | xargs -n1 ls -lL If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32877r1_fix

Open a terminal session and use the following command to remove the extended ACLs. chmod -N <shell file with extended ACL>

b
All system audit files must not have extended ACLs.
AU-9 - Medium - CCI-000163 - V-22369 - SV-38102r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000163
Version
GEN002710 M6
Vuln IDs
  • V-22369
Rule IDs
  • SV-38102r1_rule
If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.System AdministratorECTP-1
Checks: C-37639r1_chk

Open a terminal session and enter the following command to view the ACLs of the audit files. ls -Ll /var/audit If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32880r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N </var/audit/ file with extended ACL>

a
System audit tool executables must not have extended ACLs.
AU-9 - Low - CCI-001493 - V-22373 - SV-38103r1_rule
RMF Control
AU-9
Severity
L
CCI
CCI-001493
Version
GEN002718 M6
Vuln IDs
  • V-22373
Rule IDs
  • SV-38103r1_rule
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.System AdministratorECLP-1
Checks: C-37640r1_chk

Open a terminal session and enter the following command to view the ACLs of the audit tool. ls -lL /usr/sbin/audit /usr/sbin/auditd /usr/sbin/auditreduce /usr/sbin/praudit If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32881r1_fix

Open a terminal session and use the following command to remove the extended ACLs. chmod -N <audit file with extended ACL>

b
The cron.allow file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22384 - SV-38105r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN002990 M6
Vuln IDs
  • V-22384
Rule IDs
  • SV-38105r1_rule
A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is allowed to execute cron programs, which could be harmful to overall system and network security.System AdministratorECLP-1
Checks: C-37642r1_chk

Open a terminal session and enter the following command to view the ACLs of the cron.allow file. ls -l /private/var/at/cron.allow If the file exists and the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32883r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /private/var/at/cron.allow

b
Crontab files must be group-owned by wheel, cron, or the crontab creator's primary group.
AC-6 - Medium - CCI-000225 - V-22385 - SV-38107r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003050 M6
Vuln IDs
  • V-22385
Rule IDs
  • SV-38107r1_rule
To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured.System AdministratorECLP-1
Checks: C-37680r1_chk

Open a terminal session and enter the following commands to verify the group ownership of the "crontab" files. ls -lL /usr/sbin/cron ls -lL /usr/lib/cron ls -lL /usr/bin/crontab ls -lL /private/var/at/cron.deny If the group-owner is not wheel or the crontab owner's primary group, this is a finding.

Fix: F-32920r1_fix

Open a terminal session and enter the following command to set the group to wheel. chgrp wheel <crontab file>

b
Crontab files must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22386 - SV-38110r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003090 M6
Vuln IDs
  • V-22386
Rule IDs
  • SV-38110r1_rule
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on crontab files may provide unauthorized access to the files.System AdministratorECLP-1
Checks: C-37644r1_chk

Open a terminal session and enter the following commands to view the extended ACLs of the crontab file. ls -lL /usr/sbin/cron ls -lL /usr/lib/cron ls -lL /usr/bin/crontab ls -lL /private/var/at/cron.deny If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32885r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <crontab file>

b
Cron and crontab directories must not have extended ACLs.
AC-6 - Medium - CCI-000225 - V-22387 - SV-38112r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003110 M6
Vuln IDs
  • V-22387
Rule IDs
  • SV-38112r1_rule
To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on cron and crontab directories may provide unauthorized access to these directories. Unauthorized modifications to these directories or their contents may result in the addition of unauthorized cron jobs or deny service to authorized cron jobs. System AdministratorECLP-1
Checks: C-37645r1_chk

Open a terminal session and enter the following commands to view the extended ACLs of the crontab directory. ls -ld /usr/sbin/cron ls -ld /usr/lib/cron ls -ld /usr/bin/crontab ls -ld /private/var/at/cron.deny If the permissions include a '+', the directory has an extended ACL, this is a finding.

Fix: F-32886r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N <crontab directory>

b
The cron.deny file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22389 - SV-38115r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003210 M6
Vuln IDs
  • V-22389
Rule IDs
  • SV-38115r1_rule
If there are excessive file permissions for the cron.deny file, sensitive information could be viewed or edited by unauthorized users.System AdministratorECLP-1
Checks: C-37647r1_chk

Open a terminal session and enter the following command to view the ACLs of the cron.deny file. ls -l /private/var/at/cron.deny If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32888r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /private/var/at/cron.deny

b
The cron.allow file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22391 - SV-38117r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003250 M6
Vuln IDs
  • V-22391
Rule IDs
  • SV-38117r1_rule
If the group of the cron.allow is not set to wheel, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized modification of this file could cause Denial of Service to authorized cron users or provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
Checks: C-37649r1_chk

Open a terminal session and enter the following command to verify the group ownership of the cron.allow file. ls -lL /private/var/at/cron.allow If the file exists and is not group owned by wheel, this is a finding.

Fix: F-32890r1_fix

Open a terminal session and enter the following command. chgrp wheel /private/var/at/cron.allow

b
The cron.deny file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22394 - SV-38119r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003270 M6
Vuln IDs
  • V-22394
Rule IDs
  • SV-38119r1_rule
The cron daemon control files and restricts the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial of Service to authorized cron users or could provide unauthorized users with the ability to run cron jobs.System AdministratorECLP-1
Checks: C-37650r1_chk

Open a terminal session and enter the following command to verify the group ownership of the "/private/var/at/cron.deny" file. ls -lL /private/var/at/cron.deny If the "/private/var/at/cron.deny" file is not group owned by wheel, this is a finding.

Fix: F-32891r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /private/var/at/cron.deny

b
Kernel core dumps must be disabled unless needed.
CM-6 - Medium - CCI-000366 - V-22404 - SV-38198r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN003510 M6
Vuln IDs
  • V-22404
Rule IDs
  • SV-38198r1_rule
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial of Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.System AdministratorECSC-1
Checks: C-37656r1_chk

Open a terminal session and use the following command to verify the system does not allow core dumps. sysctl -a | grep kern.coredump If kern.coredump is not set to 0, this is a finding.

Fix: F-32897r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following entry. kern.coredump=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

a
The system must not process Internet Control Message Protocol (ICMP) timestamp requests.
AC-4 - Low - CCI-001551 - V-22409 - SV-38200r1_rule
RMF Control
AC-4
Severity
L
CCI
CCI-001551
Version
GEN003602 M6
Vuln IDs
  • V-22409
Rule IDs
  • SV-38200r1_rule
The processing of ICMP timestamp requests increases the attack surface of the system.System AdministratorECSC-1
Checks: C-37657r1_chk

Open a terminal session and enter the following command to view the timestamp. sysctl -a | grep net.inet.icmp.timestamp If the value of net.inet.icmp.timestamp is not set to "1", this is a finding.

Fix: F-32898r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.icmp.timestamp=1 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must not respond to Internet Control Message Protocol (ICMPv4) echoes sent to a broadcast address.
AC-4 - Medium - CCI-001551 - V-22410 - SV-38201r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001551
Version
GEN003603 M6
Vuln IDs
  • V-22410
Rule IDs
  • SV-38201r1_rule
Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.System AdministratorECSC-1
Checks: C-37658r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.icmp.bmcastecho". sysctl -a | grep net.inet.icmp.bmcastecho If the value is not set to "1", this is a finding.

Fix: F-32899r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.icmp.bmcastecho=1 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must prevent local applications from generating source-routed packets.
AC-4 - Medium - CCI-001551 - V-22413 - SV-38202r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001551
Version
GEN003606 M6
Vuln IDs
  • V-22413
Rule IDs
  • SV-38202r1_rule
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.System AdministratorECSC-1
Checks: C-37659r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.sourceroute". sysctl -a | grep net.inet.ip.sourceroute If the value of "net.inet.ip.sourceroute" is not set to "0", this is a finding.

Fix: F-32900r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.sourceroute=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must not accept source-routed IPv4 packets.
AC-4 - Medium - CCI-001551 - V-22414 - SV-38203r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001551
Version
GEN003607 M6
Vuln IDs
  • V-22414
Rule IDs
  • SV-38203r1_rule
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.System AdministratorECSC-1
Checks: C-37660r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.accept_sourceroute". sysctl -a | grep net.inet.ip.accept_sourceroute If the value of "net.inet.ip.accept_sourceroute" is not set to "0", this is a finding.

Fix: F-32901r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.accept_sourceroute=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must ignore IPv4 ICMP redirect messages.
CM-6 - Medium - CCI-001503 - V-22416 - SV-38204r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-001503
Version
GEN003609 M6
Vuln IDs
  • V-22416
Rule IDs
  • SV-38204r1_rule
ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.System AdministratorECSC-1
Checks: C-37661r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.icmp.drop_redirect". sysctl -a | grep net.inet.icmp.drop_redirect If the value of "net.inet.icmp.drop_redirect" is not set to "0", this is a finding.

Fix: F-32902r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.icmp.drop_redirect=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The system must not send IPv4 ICMP redirects.
AC-4 - Medium - CCI-001551 - V-22417 - SV-38205r1_rule
RMF Control
AC-4
Severity
M
CCI
CCI-001551
Version
GEN003610 M6
Vuln IDs
  • V-22417
Rule IDs
  • SV-38205r1_rule
ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.System AdministratorECSC-1
Checks: C-37662r1_chk

Open a terminal session and enter the following command to view the value of "net.inet.ip.redirect". sysctl -a | grep net.inet.ip.redirect If the value of "net.inet.ip.redirect" is not set to "0", this is a finding.

Fix: F-32903r1_fix

Open a terminal session and edit the /etc/sysctl.conf file and add the following line. net.inet.ip.redirect=0 NOTE: If the sysctl.conf file does not exist use the following command to create one. touch /etc/sysctl.conf

b
The services file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22427 - SV-38122r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003770 M6
Vuln IDs
  • V-22427
Rule IDs
  • SV-38122r1_rule
Failure to give ownership of system configuration files to a system group provides the designated owner and unauthorized users with the potential to change the system configuration which could weaken the system's security posture.System AdministratorECLP-1
Checks: C-37663r1_chk

Open a terminal session and enter the following command to verify the group ownership of the /etc/services file. ls -lL /etc/services If the /etc/services file is not group owned by wheel, this is a finding.

Fix: F-32904r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /etc/services

b
The services file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22428 - SV-38124r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN003790 M6
Vuln IDs
  • V-22428
Rule IDs
  • SV-38124r1_rule
The services file is critical to the proper operation of network services and must be protected from unauthorized modification. If the services file has an extended ACL, it may be possible for unauthorized users to modify the file. Unauthorized modification could result in the failure of network services.System AdministratorECLP-1
Checks: C-37664r1_chk

Open a terminal session and enter the following command to view the /etc/services file extended ACLs. ls -lL /etc/services If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32905r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/services

b
The traceroute file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22437 - SV-38127r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN004010 M6
Vuln IDs
  • V-22437
Rule IDs
  • SV-38127r1_rule
If an extended ACL exists on the traceroute executable file, it may provide unauthorized users with access to the file. Malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized users. Additionally, if an unauthorized user is granted executable permissions to the traceroute command, it could be used to gain information about the network topology behind the firewall. This information may allow an attacker to determine trusted routers and other network information potentially leading to system and network compromise.System AdministratorECLP-1
Checks: C-37665r1_chk

Open a terminal session and enter the following command to view the "/usr/sbin/traceroute" file extended ACLs. ls -lL /usr/sbin/traceroute If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32906r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /usr/sbin/traceroute

b
The aliases file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22438 - SV-38128r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN004370 M6
Vuln IDs
  • V-22438
Rule IDs
  • SV-38128r1_rule
If the alias file is not group-owned by a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.System AdministratorECLP-1
Checks: C-37666r1_chk

Open a terminal session and use the following command to verify the group ownership of the /etc/aliases file. ls -lL /etc/aliases If the /etc/aliases file is not group owned by wheel, this is a finding.

Fix: F-32907r1_fix

Open a terminal session and enter the following command to set the group. chgrp wheel /etc/aliases

b
The alias file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22439 - SV-38131r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN004390 M6
Vuln IDs
  • V-22439
Rule IDs
  • SV-38131r1_rule
Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.System AdministratorECLP-1
Checks: C-37668r1_chk

Open a terminal session and enter the following command to view the /etc/aliases file extended ACLs. ls -lL /etc/aliases If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32908r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/aliases

b
The /etc/syslog.conf file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22454 - SV-38133r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN005395 M6
Vuln IDs
  • V-22454
Rule IDs
  • SV-38133r1_rule
Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file.System AdministratorECLP-1
Checks: C-37669r1_chk

Open a terminal session and enter the following command to view the /etc/syslog.conf file extended ACLs. ls -lL /etc/syslog.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32909r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/syslog.conf

b
The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
AC-17 - Medium - CCI-000068 - V-22458 - SV-39360r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
GEN005505 M6
Vuln IDs
  • V-22458
Rule IDs
  • SV-39360r1_rule
DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.System AdministratorDCNR-1
Checks: C-38307r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/sshd_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher not starting with "3DES" or "AES", this is a finding.

Fix: F-33597r1_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" to remove any ciphers not starting with "3DES" or "AES".

b
The SSH daemon must be configured to not use CBC ciphers.
CM-6 - Medium - CCI-000366 - V-22459 - SV-39364r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN005506 M6
Vuln IDs
  • V-22459
Rule IDs
  • SV-39364r1_rule
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plaintext attacks and must not be used.System AdministratorECSC-1
Checks: C-38312r1_chk

Open a terminal session and enter the following command. grep ciphers /etc/sshd_config If no lines are returned, or the returned ciphers list contains any cipher ending with CBC, this is a finding.

Fix: F-33601r1_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" and remove any ciphers ending with "CBC". If necessary, add a Ciphers line.

b
The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
AC-17 - Medium - CCI-001453 - V-22460 - SV-39369r2_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
GEN005507 M6
Vuln IDs
  • V-22460
Rule IDs
  • SV-39369r2_rule
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System AdministratorDCNR-1
Checks: C-38315r1_chk

Open a terminal session and enter the following command. grep -i macs /etc/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-33604r2_fix

Open a terminal session and edit the SSH daemon configuration file "/etc/sshd_config" and remove any MACs other than "hmac-sha1". If there is no MACs line in "/etc/sshd_config", add "MACs hmac-sha1" to the file. Restart the SSH daemon for the changes to take effect.

b
The SSH client must be configured to only use FIPS 140-2 approved ciphers.
AC-17 - Medium - CCI-000068 - V-22461 - SV-39371r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
GEN005510 M6
Vuln IDs
  • V-22461
Rule IDs
  • SV-39371r1_rule
DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.System AdministratorDCNR-1
Checks: C-38317r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher not starting with "3DES" or "AES", this is a finding.

Fix: F-33606r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers not starting with "3DES" or "AES".

b
The SSH client must be configured to not use CBC-based ciphers.
CM-6 - Medium - CCI-000366 - V-22462 - SV-39374r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN005511 M6
Vuln IDs
  • V-22462
Rule IDs
  • SV-39374r1_rule
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plaintext attacks and must not be used.System AdministratorECSC-1
Checks: C-38319r1_chk

Open a terminal session and enter the following command. grep -i ciphers /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher ending with "CBC", this is a finding.

Fix: F-33608r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers ending with "CBC".

b
The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
AC-17 - Medium - CCI-001453 - V-22463 - SV-39376r1_rule
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
GEN005512 M6
Vuln IDs
  • V-22463
Rule IDs
  • SV-39376r1_rule
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System AdministratorDCNR-1
Checks: C-38321r1_chk

Open a terminal session and enter the following command. grep -i macs /etc/ssh_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-33611r1_fix

Open a terminal session and edit the SSH client configuration file "/etc/ssh_config" and remove any MACs other than "hmac-sha1".

b
The /etc/smb.conf file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22497 - SV-38135r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN006150 M6
Vuln IDs
  • V-22497
Rule IDs
  • SV-38135r1_rule
Excessive permissions could endanger the security of the Samba configuration file and, ultimately, the system and network.System AdministratorECLP-1
Checks: C-37670r1_chk

Open a terminal session and enter the following command to view the /etc/smb.conf file extended ACLs. ls -lL /etc/smb.conf If the permissions include a '+', the file has an extended ACL, this is a finding.

Fix: F-32910r1_fix

Open a terminal session and enter the following command to remove the extended ACLs. chmod -N /etc/smb.conf

b
The system package management tool must be used to verify system software periodically.
CM-6 - Medium - CCI-000366 - V-22506 - SV-38138r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
GEN006565 M6
Vuln IDs
  • V-22506
Rule IDs
  • SV-38138r1_rule
Verification using the system package management tool can be used to determine that system software has not been tampered with. This requirement is not applicable to systems not using package management tools. System AdministratorECAT-1
Checks: C-37671r1_chk

Open a terminal session and enter the following command to verify the permissions are set to the original installation settings. diskutil verifyPermissions /

Fix: F-32911r1_fix

Open a terminal session and enter the following command to reset the permissions to the original installation settings. diskutil repairPermissions /

a
The file integrity tool must be configured to verify ACLs.
SI-7 - Low - CCI-001297 - V-22507 - SV-38139r1_rule
RMF Control
SI-7
Severity
L
CCI
CCI-001297
Version
GEN006570 M6
Vuln IDs
  • V-22507
Rule IDs
  • SV-38139r1_rule
ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.System AdministratorECAT-1
Checks: C-37672r1_chk

Open a terminal session and enter the following command to verify the permissions are set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect permissions, this is a finding.

Fix: F-32912r1_fix

Open a terminal session and enter the following command to reset the permissions to the original installation settings. diskutil repairPermissions /

a
The file integrity tool must be configured to verify extended attributes.
SI-7 - Low - CCI-001297 - V-22508 - SV-38141r1_rule
RMF Control
SI-7
Severity
L
CCI
CCI-001297
Version
GEN006571 M6
Vuln IDs
  • V-22508
Rule IDs
  • SV-38141r1_rule
Extended attributes in file systems are used to contain arbitrary data and file metadata potentially having security implications.System AdministratorECAT-1
Checks: C-37510r1_chk

Open a terminal session and enter the following command to verify the permissions are set to the original installation settings. diskutil verifyPermissions / If files are shown with incorrect extended attributes, this is a finding.

Fix: F-32913r1_fix

Open a terminal session and enter the following command to remove extended attributes. diskutil repairPermissions /

b
If the system is using LDAP for authentication or account information the /etc/openldap/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
AC-6 - Medium - CCI-000225 - V-22559 - SV-38142r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN008060 M6
Vuln IDs
  • V-22559
Rule IDs
  • SV-38142r1_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37512r1_chk

Open a terminal session and enter the following command to verify the permissions. ls -Ll /etc/openldap/ldap.conf If the permissions are not set to 644, this is a finding.

Fix: F-32760r1_fix

Open a terminal session and enter the following command to set permissions on the file. chmod 644 /etc/openldap/ldap.conf

b
If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be owned by root.
AC-6 - Medium - CCI-000225 - V-22560 - SV-38155r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN008080 M6
Vuln IDs
  • V-22560
Rule IDs
  • SV-38155r1_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37536r1_chk

Open a terminal session and enter the following command to verify the owner. ls -Ll /etc/openldap/ldap.conf If the owner is not set to root, this is a finding.

Fix: F-32782r1_fix

Open a terminal session and enter the following command to set the owner to root. chown root /etc/openldap/ldap.conf

b
If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be group-owned by wheel.
AC-6 - Medium - CCI-000225 - V-22561 - SV-38156r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN008100 M6
Vuln IDs
  • V-22561
Rule IDs
  • SV-38156r1_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37537r1_chk

Open a terminal session and enter the following command to verify the group owner. ls -Ll /etc/openldap/ldap.conf If the file is not group-owned by wheel, this is a finding.

Fix: F-32783r1_fix

Open a terminal session and use the following command to set the group owner of the file. chgrp wheel /etc/openldap/ldap.conf

b
If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must not have an extended ACL.
AC-6 - Medium - CCI-000225 - V-22562 - SV-38157r1_rule
RMF Control
AC-6
Severity
M
CCI
CCI-000225
Version
GEN008120 M6
Vuln IDs
  • V-22562
Rule IDs
  • SV-38157r1_rule
LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.System AdministratorECLP-1
Checks: C-37538r1_chk

Open a terminal session and enter the following command to verify the /etc/openldap/ldap.conf has no extended ACLs. ls -lL /etc/openldap/ldap.conf If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.

Fix: F-32784r1_fix

Open a terminal session and enter the following command to remove the ACLs. chmod -RN /etc/openldap/ldap.conf

b
The system's local firewall must implement a deny-all, allow-by-exception policy.
SC-7 - Medium - CCI-001109 - V-22583 - SV-39384r1_rule
RMF Control
SC-7
Severity
M
CCI
CCI-001109
Version
GEN008540 M6
Vuln IDs
  • V-22583
Rule IDs
  • SV-39384r1_rule
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.System AdministratorECSC-1
Checks: C-29318r1_chk

Determine if the system's local firewall implements a deny-all, allow-by-exception policy. If it does not, this is a finding.

Fix: F-26350r1_fix

Configure the system's local firewall to implement a deny-all, allow-by-exception policy.

b
System audit logs must be group-owned by wheel.
AU-9 - Medium - CCI-000162 - V-22702 - SV-38144r1_rule
RMF Control
AU-9
Severity
M
CCI
CCI-000162
Version
GEN002690 M6
Vuln IDs
  • V-22702
Rule IDs
  • SV-38144r1_rule
Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.System AdministratorECLP-1, ECTP-1
Checks: C-37513r1_chk

Open a terminal session and enter the following command to verify group ownership of the files. ls -Ll /var/audit If any file is not group owned by wheel, this is a finding.

Fix: F-32761r1_fix

Open a terminal session and enter the following command to change group ownership of the file. chgrp wheel /var/audit/ <audit file>

c
The telnet daemon must not be running.
IA-5 - High - CCI-000197 - V-24386 - SV-38213r1_rule
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
GEN003850 M6
Vuln IDs
  • V-24386
Rule IDs
  • SV-38213r1_rule
The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised.System AdministratorDCPP-1
Checks: C-37679r1_chk

Open a terminal session and enter the following command to verify telnet is disabled. defaults read /var/db/launchd.db/com.apple.launchd/overrides com.apple.telnetd If a 1 is not returned, this is a finding.

Fix: F-32919r1_fix

Open a terminal session and use the following command to disable telnet. launchctl unload -w /System/Library/LaunchDaemons/telnet.plist NOTE: This command is being run to adjust the overrides file; unloading errors are normal, repeat the check to verify.

b
Unnecessary packages must not be installed.
Medium - V-25187 - SV-37149r1_rule
RMF Control
Severity
M
CCI
Version
OSX00010 M6
Vuln IDs
  • V-25187
Rule IDs
  • SV-37149r1_rule
Removing unused packages frees disk space and reduces the risk of attackers finding vulnerabilities in unused components.System AdministratorECSC-1
Checks: C-37676r1_chk

Verify unnecessary packages are not installed. Open a terminal session and enter the following command. pkgutil / --pkgs Review the packages installed, determine if the installed packages are needed. If not, then this is a finding.

Fix: F-32916r1_fix

Review the packages installed using the following command. pkgutil / --pkgs Determine if the installed packages are needed. If not, verify any dependencies and use the rm command to remove them.

b
Administrator accounts must be created with difficult-to-guess names.
Medium - V-25200 - SV-37153r1_rule
RMF Control
Severity
M
CCI
Version
OSX00015 M6
Vuln IDs
  • V-25200
Rule IDs
  • SV-37153r1_rule
The administrator account has unlimited privileges to the system. Creating a complex name improves the protection of this account and the system. Do not use administrator; do not use the name of the machine, etc.System AdministratorIAIA-1, IAIA-2
Checks: C-35869r1_chk

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Verify there are no easy to guess administrator account names. If any accounts have easy to guess names, this is a finding.

Fix: F-31124r1_fix

1. Select Finder. 2. Select Applications. 3. Select System Preferences. 4. Select Accounts. 5. Rename or recreate accounts with difficult-to-guess names.

b
A maximum password age must be set.
Medium - V-25204 - SV-37158r1_rule
RMF Control
Severity
M
CCI
Version
OSX00020 M6
Vuln IDs
  • V-25204
Rule IDs
  • SV-37158r1_rule
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Further, scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.System AdministratorIAIA-1, IAIA-2
Checks: C-35870r1_chk

Open a terminal session and use the following command to view the setting for maximum password age. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword. If the value of "maxMinutesUntilChangePassword" is greater than 86400 or set to "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword If the value of "maxMinutesUntilChangePassword" is greater than 86400, this is a finding. NOTE: The value of "0" will disable this setting and must not be used.

Fix: F-34540r1_fix

Open a terminal session and use the following command to set the value for maxMinutesUntilChangePassword. sudo pwpolicy -n -setglobalpolicy "maxMinutesUntilChangePassword=86400" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=86400"

b
A minimum password length must be set.
Medium - V-25230 - SV-37172r1_rule
RMF Control
Severity
M
CCI
Version
OSX00030 M6
Vuln IDs
  • V-25230
Rule IDs
  • SV-37172r1_rule
Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password and gain access to the system, and cause the device, information, or the local network to be compromised or a Denial of Service.System AdministratorIAIA-1, IAIA-2
Checks: C-35877r1_chk

Open a terminal session and enter the following command to view the setting for minimum password length. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minChars If the value of minChars is less than 15, this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minChars If the value of minChars is less than 15, this is a finding.

Fix: F-31132r1_fix

Open a terminal session and use the following command to set the value for minimum password length. sudo pwpolicy -n -setglobalpolicy "minChars=15" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "minChars=15"

b
Newly created password content must be checked.
Medium - V-25238 - SV-37177r1_rule
RMF Control
Severity
M
CCI
Version
OSX00040 M6
Vuln IDs
  • V-25238
Rule IDs
  • SV-37177r1_rule
Configure the local system to verify newly created passwords do not contain user's account name or parts of the user's full name exceeding two consecutive characters.System AdministratorIAIA-1, IAIA-2
Checks: C-35881r1_chk

Open a terminal session and use the following command to view the setting for "password cannot be name". sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName If the value of "passwordCannotBeName" is not equal to "1", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName If the value of "passwordCannotBeName" is not equal to "1", this is a finding.

Fix: F-31136r1_fix

Open a terminal session and use the following command to set the value for "password cannot be name". sudo pwpolicy -n -setglobalpolicy "passwordCannotBeName=1" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "passwordCannotBeName=1"

b
Account lockout duration must be properly configured.
Medium - V-25240 - SV-37184r1_rule
RMF Control
Severity
M
CCI
Version
OSX00045 M6
Vuln IDs
  • V-25240
Rule IDs
  • SV-37184r1_rule
This parameter specifies the amount of time that must pass between two successive login attempts to ensure a lockout will occur. The smaller this value is, the less effective the account lockout feature will be in protecting the local system. System AdministratorECLO-1, ECLO-2
Checks: C-35886r1_chk

Open a terminal session and use the following command to view the setting for Account lockout duration. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding.

Fix: F-31142r1_fix

Open a terminal session and use the following command to set the value for account lockout duration. sudo pwpolicy -n -setglobalpolicy "minutesUntilFailedLoginReset=0" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "minutesUntilFailedLoginReset=0"

b
Account lockout threshold must be properly configured.
Medium - V-25241 - SV-37186r1_rule
RMF Control
Severity
M
CCI
Version
OSX00050 M6
Vuln IDs
  • V-25241
Rule IDs
  • SV-37186r1_rule
The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of incorrect logon attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon. System AdministratorECLO-1, ECLO-2
Checks: C-35887r1_chk

Open a terminal session and use the following command to view the setting for account lockout threshold. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts If the value of "maxFailedLoginAttempts" is more than "3", or set to "0", this is a finding. NOTE: If the command returns a response of "password server is not configured", the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts If the value of "maxFailedLoginAttempts" is more than "3", or set to "0", this is a finding.

Fix: F-31143r1_fix

Open a terminal session and use the following command to set the value for account lockout threshold. sudo pwpolicy -n -setglobalpolicy "maxFailedLoginAttempts=3" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttempts=3"

b
All application software must be current.
Medium - V-25251 - SV-37190r1_rule
RMF Control
Severity
M
CCI
Version
OSX00055 M6
Vuln IDs
  • V-25251
Rule IDs
  • SV-37190r1_rule
Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered. It is essential these updates be applied in a timely manner to prevent unauthorized persons from exploiting identified vulnerabilities. If the application software is no longer supported it should be updated or removed.If any of the patches not installed are ‘Critical’, then this should be elevated to a Category 1.System AdministratorVIVM-1
Checks: C-35889r1_chk

Open a terminal session and enter the following command. sudo softwareupdate --list or sudo softwareupdate --list --all Review the result for proper versions and current patch level. GUI procedures: 1. Choose Apple (?) &gt; Software Update. 2. Select Scheduled Check &amp; Installed Updates. 3. Verify all current software updates are installed. If the current software updates are not installed, this is a finding. NOTE: This check does not show third party software or updates.

Fix: F-28170r2_fix

Install current software updates and patches. NOTE: Do not enable Automatic Updating as this will conflict with V-25298.

b
Wi-Fi support software must be disabled.
Medium - V-25252 - SV-37193r1_rule
RMF Control
Severity
M
CCI
Version
OSX00060 M6
Vuln IDs
  • V-25252
Rule IDs
  • SV-37193r1_rule
Many organizations restrict the use of wireless technology in their network environment. However, most Mac computers have wireless capability built-in and simply turning it off may not meet the organization’s wireless technology restrictions. Components may need to be removed from Mac OS X to disable them from being turned on in System Preferences. Although wireless technology gives a network more flexibility with its users, it can also cause security vulnerabilities most may be unaware of. It is recommended wherever possible, wireless access is disabled for security reasons. IMPORTANT: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
Checks: C-35890r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist. IO80211Family.kext If the file exists, this is a finding.

Fix: F-31145r1_fix

Open a terminal session and enter the following commands. srm -rf /System/Library/Extensions/IO80211Family.kext touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

b
Bluetooth support software must be disabled.
Medium - V-25253 - SV-37198r1_rule
RMF Control
Severity
M
CCI
Version
OSX00065 M6
Vuln IDs
  • V-25253
Rule IDs
  • SV-37198r1_rule
Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as Denial of Service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. Remove Bluetooth support for peripherals such as keyboards, mice, or phones. This task requires administrator privileges. IMPORTANT: Repeat these instructions every time a system update is installed. Support should be removed at kext level.System AdministratorECSC-1
Checks: C-35892r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following files do NOT exist. IOBluetoothFamily.kext IOBluetoothHIDDriver.kext If any file exists, this is a finding.

Fix: F-31148r1_fix

Open a terminal session and enter the following commands to remove the files. srm -rf /System/Library/Extensions/IOBluetoothFamily.kext srm -rf /System/Library/Extensions/IOBluetoothHIDDriver.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

b
Audio recording support software must be disabled.
Medium - V-25254 - SV-38509r1_rule
RMF Control
Severity
M
CCI
Version
OSX00070 M6
Vuln IDs
  • V-25254
Rule IDs
  • SV-38509r1_rule
A computer might be in an environment where recording devices, such as cameras or microphones are not permitted. Protect the organization’s privacy by disabling these devices. Remove support for the audio subsystem. This may disable audio playback. IMPORTANT: Repeat these instructions every time a system update is installed.System AdministratorECSC-1
Checks: C-37727r1_chk

Open a terminal session and view the /System/Library/Extensions/ folder if any of the following files exist, this is a finding. AppleUSBAudio.kext IOAudioFamily.kext

Fix: F-34553r1_fix

Open a terminal session and enter the following commands. srm -rf /System/Library/Extensions/AppleUSBAudio.kext srm -rf /System/Library/Extensions/IOAudioFamily.kext touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

b
Video recording support software must be disabled.
Medium - V-25255 - SV-37201r1_rule
RMF Control
Severity
M
CCI
Version
OSX00075 M6
Vuln IDs
  • V-25255
Rule IDs
  • SV-37201r1_rule
A computer might be in an environment where recording devices, such as cameras or microphones, are not permitted. Protect the organization’s privacy by disabling these devices. Remove support for an external or built-in iSight camera. NOTE: The support for external iSight cameras should be removed on all machines. Removing only support for internal iSight cameras would still leave support for external cameras available. An Apple Authorized Technician can also remove the built-in video camera hardware from an Apple computer. IMPORTANT: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
Checks: C-35894r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist: Apple_iSight.kext. Control click the IOUSBFamily.kext and select Show Package Contents. Open the /Contents/PlugIns/ folder. Ensure the following file does NOT exist: AppleUSBVideoSupport.kext If any of the files exist, this is a finding.

Fix: F-31151r1_fix

Open a terminal session and enter the following commands to remove the files. sudo srm -rf /System/Library/Extensions/Apple_iSight.kext sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/Plugins/AppleUSBVideoSupport.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

b
Infrared (IR) support must be removed.
Medium - V-25258 - SV-37206r1_rule
RMF Control
Severity
M
CCI
Version
OSX00090 M6
Vuln IDs
  • V-25258
Rule IDs
  • SV-37206r1_rule
To prevent unauthorized users from controlling a computer through the infrared receiver, remove IR hardware support. This task requires administrator privileges. An Apple Authorized Technician can also remove IR hardware from an Apple computer. IMPORTANT: Repeat these instructions every time a system update is installed. System AdministratorECSC-1
Checks: C-35898r1_chk

Open a terminal session and view the /System/Library/Extensions folder. Ensure the following file does NOT exist. AppleIRController.kext If the file exists, this is a finding.

Fix: F-31156r1_fix

Open a terminal session and enter the following commands to remove the file. srm -rf /System/Library/Extensions/AppleIRController.kext sudo touch /System/Library/Extensions NOTE: Repeat these instructions every time a system update is installed.

c
An Extensible Firmware Interface (EFI) password must be used.
High - V-25259 - SV-38510r1_rule
RMF Control
Severity
H
CCI
Version
OSX00095 M6
Vuln IDs
  • V-25259
Rule IDs
  • SV-38510r1_rule
When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is the software link between the motherboard hardware and the software operating system. EFI determine which partition or disk to load Mac OS X from. It also determines whether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.System AdministratorECSC-1
Checks: C-37728r1_chk

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Verify the "Require password to start this computer from another source" is selected. If not, this is a finding.

Fix: F-32972r1_fix

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Click New. Select "Require password to start this computer from another source". In the Password and Verify fields, enter a new EFI password and click OK. Close the Firmware Password Utility.

b
Access warning for the login window must be present.
Medium - V-25260 - SV-38556r1_rule
RMF Control
Severity
M
CCI
Version
OSX00100 M6
Vuln IDs
  • V-25260
Rule IDs
  • SV-38556r1_rule
Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. A login window or Terminal access warning can be used to provide notice of a computer’s ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring.System AdministratorECWM-1
Checks: C-37753r2_chk

If the following DoD warning banner is not displayed at the top of the login panel before entering the user name and password, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." NOTE: Any OS versions that do not support the full text version must state the following: "I've read &amp; consent to terms in IS user agreem't." NOTE: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

Fix: F-32996r2_fix

Open a terminal session and enter the following command. sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Log off the system and verify the banner is displayed at the login screen.

b
Access warning for the command line must be present.
Medium - V-25261 - SV-38513r1_rule
RMF Control
Severity
M
CCI
Version
OSX00105 M6
Vuln IDs
  • V-25261
Rule IDs
  • SV-38513r1_rule
Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. When a user opens a terminal locally or connects to the computer remotely, the user sees the access warning.System AdministratorECWM-1
Checks: C-37729r2_chk

Open a terminal session. The warning banner should be displayed in the terminal. If the following DoD warning banner is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: Any OS versions not supporting the full text version must state the following: "I've read and consent to terms in IS user agreem't". Note: Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance.

Fix: F-32973r1_fix

1. Open a terminal session 2. Verify the /etc/motd file exists. If not, use the touch command to create the file. 3. Edit the file and enter the appropriate DoD warning banner information. 4. Save the file. 5. Open a new terminal session and verify the banner is displayed.

c
sudo usage must be restricted to a single terminal, and for only one sudo instance at a time.
High - V-25262 - SV-38614r1_rule
RMF Control
Severity
H
CCI
Version
OSX00110 M6
Vuln IDs
  • V-25262
Rule IDs
  • SV-38614r1_rule
Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. These limit the use of the sudo command to a single command per authentication and also ensure, even if a timeout is activated, that later sudo commands are limited to the terminal in which authentication occurred. System AdministratorECSC-1
Checks: C-37778r1_chk

Open a terminal session and use the following command to view the values. grep Defaults /etc/sudoers Ensure the following items exist: "Defaults tty_tickets" and "Defaults timestamp_timeout=0" If the values are not present, this is a finding.

Fix: F-33025r1_fix

Open a terminal session and enter the following commands to set the values in the /etc/sudoers file. VISUAL=pico visudo Enter the following two lines in the file. Defaults tty_tickets Defaults timestamp_timeout=0 Save and exit the file.

b
LDAPv3 access must be securely configured (if it is used).
Medium - V-25263 - SV-38514r1_rule
RMF Control
Severity
M
CCI
Version
OSX00115 M6
Vuln IDs
  • V-25263
Rule IDs
  • SV-38514r1_rule
When configuring LDAPv3, do not add DHCP supplied LDAP servers to automatic search policies if the network the computer is running on is not secure. If the network is unsecure, someone can create a rogue DHCP.System AdministratorECCT-1, ECCT-2
Checks: C-37730r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, this is a finding.

Fix: F-32974r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Connection tab and select "Encrypt using SSL".

b
LDAP Authentication must use authentication when connecting to LDAPv3.
Medium - V-25264 - SV-38516r1_rule
RMF Control
Severity
M
CCI
Version
OSX00120 M6
Vuln IDs
  • V-25264
Rule IDs
  • SV-38516r1_rule
When configuring LDAPv3, do not add DHCP-supplied LDAP servers to automatic search policies if the network the computer is running on is not secure. If the network is unsecure, someone can create a rogue DHCP. Use authentication when connecting to LDAPv3 directories; disable clear text passwords for all LDAPv3 directories; digitally sign all LDAPv3 packets (requires Kerberos); encrypt all LDAPv3 packets (requires SSL or Kerberos); and block man-in-the-middle attacks (requires Kerberos).System AdministratorDCNR-1, ECCT-1, ECCT-2
Checks: C-37731r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, this is a finding.

Fix: F-32975r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and select "Use authentication when connecting".

c
Active Directory Access must be securely configured.
High - V-25265 - SV-38518r1_rule
RMF Control
Severity
H
CCI
Version
OSX00125 M6
Vuln IDs
  • V-25265
Rule IDs
  • SV-38518r1_rule
The “Allow administration by” setting should not be used in sensitive environments. It can cause unintended privilege escalation issues because any member of the group specified will have administrator privileges on a computer.System AdministratorDCNR-1, ECCT-1, ECCT-2
Checks: C-37732r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Services tab. Double Click on Active Directory. Click on Show Advanced Options. Click on Administrative tab and ensure "Allow administration by" is not selected. If "Allow administration by" is selected, this is a finding.

Fix: F-32976r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Services tab. Double Click on Active Directory. Click on Show Advanced Options. Click on Administrative tab and deselect "Allow administration by" option.

b
POSIX access permissions must be assigned based on user categories.
Medium - V-25267 - SV-37208r1_rule
RMF Control
Severity
M
CCI
Version
OSX00135 M6
Vuln IDs
  • V-25267
Rule IDs
  • SV-37208r1_rule
POSIX access permissions must be assigned based on user categories. Changing permissions on a user's home directory from 750 to 700 will disable Apple file sharing. User's home directory POSIX permissions should be set to 700. System AdministratorECSC-1
Checks: C-35899r1_chk

Open a terminal session and enter the following command. ls -ld &lt;users home directory&gt; If permissions are not set to 700, this is a finding.

Fix: F-31157r1_fix

Open a terminal session and enter the following command. sudo chmod 700 <user’s home directory>

b
Security auditing must be enabled.
Medium - V-25268 - SV-38520r1_rule
RMF Control
Severity
M
CCI
Version
OSX00140 M6
Vuln IDs
  • V-25268
Rule IDs
  • SV-38520r1_rule
Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and the methods used for successful and failed access attempts.System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-37733r1_chk

Open a terminal session and run the following command. sudo launchctl list Verify "com.apple.auditd" appears. If the file does not appear, this is a finding.

Fix: F-32977r1_fix

Open a terminal session and run the following command. sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

b
Security auditing must be configured.
Medium - V-25269 - SV-38521r1_rule
RMF Control
Severity
M
CCI
Version
OSX00145 M6
Vuln IDs
  • V-25269
Rule IDs
  • SV-38521r1_rule
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, has begun, or is about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Without an audit trail providing information as to what occurred and if it was successful or unsuccessful, it is difficult to analyze a series of events to determine the steps used by an attacker to compromise a system or network, or what exactly happened that led to a Denial of Service. Collecting data such as the successful and unsuccessful events is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-37734r1_chk

Open a terminal session and enter the following command view the audit flags. more /etc/security/audit_control file. Review the entries and ensure the line includes the following: flags: lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. If the file does not contain the appropriate flags, this is a finding.

Fix: F-32978r1_fix

Open a terminal session and edit the /etc/security/audit_control file. Find the line beginning with "flags". Replace that line with the following: flags:lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. Save the file.

b
Local logging must be enabled.
Medium - V-25270 - SV-38522r1_rule
RMF Control
Severity
M
CCI
Version
OSX00150 M6
Vuln IDs
  • V-25270
Rule IDs
  • SV-38522r1_rule
Logging is essential for tracking system events, in the event of unauthorized access, logs may contain information about how and when the access occurred. Ensure logging is enabled and log files are properly rotated. The default configuration in /etc/newsyslog.conf is used to configure local logging in the /var/log folder. The computer is set to rotate log files using the periodic launchd job according to time intervals specified in the /etc/newsyslog.conf file.System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-37735r1_chk

Open a terminal session and enter the following command. more /etc/newsyslog.conf If the count values are not set to "14", this is a finding.

Fix: F-32979r1_fix

Open a terminal session and edit the following file and set the count value(s) to "14". /etc/newsyslog.conf

b
Remote logging must be enabled.
Medium - V-25271 - SV-38523r1_rule
RMF Control
Severity
M
CCI
Version
OSX00155 M6
Vuln IDs
  • V-25271
Rule IDs
  • SV-38523r1_rule
In addition to local logging, remote logging must also be enabled. Local logs can be altered if the computer is compromised. Remote logging mitigates the risk of having the logs altered. System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-37736r1_chk

Open a terminal session and enter the following command. more /etc/syslog.conf Ensure the name or IP address of the site's log server is listed as "your.log.server". If the name or IP address of the log server is not listed, this is a finding.

Fix: F-32980r1_fix

Open a terminal session and enter the following command. sudo pico /etc/syslog.conf Add the following line to the top of the file, replacing "your.log.server" with the name or IP address of the log server, and keeping all other lines intact. *.* @your.log.server Exit, saving changes. Reboot the system.

c
An antivirus tool must be installed.
High - V-25272 - SV-38524r1_rule
RMF Control
Severity
H
CCI
Version
OSX00160 M6
Vuln IDs
  • V-25272
Rule IDs
  • SV-38524r1_rule
Installing antivirus tools helps prevent virus infection on a computer, and helps prevent a computer from becoming a host used to spread viruses to other computers. These tools quickly identify suspicious content and compare them to known malicious content. See the https://www.cybercom.mil web site for approved antivirus tools.System AdministratorECVP-1
Checks: C-37737r1_chk

Verify an approved antivirus tool is installed on the system.

Fix: F-32981r1_fix

Install an approved antivirus tool on the system.

b
Prevent root login must be securely configured in /etc/sshd_config.
Medium - V-25273 - SV-38525r1_rule
RMF Control
Severity
M
CCI
Version
OSX00165 M6
Vuln IDs
  • V-25273
Rule IDs
  • SV-38525r1_rule
Prevents logging in as root through SSH. This should be set for all SSH methods of authenticating. System AdministratorCOBR-1, ECPA-1
Checks: C-37738r1_chk

Open a terminal session and enter the following command. more /etc/sshd_config Ensure the value "PermitRootLogin" is set to "No". If the value "PermitRootLogin" is not set to "No", this is a finding. NOTE: If the line starts with a # sign this is a comment and the command to disable root login would be invalid regardless of the value, this is a finding.

Fix: F-32982r1_fix

Open a terminal session and enter the following command. sudo pico /etc/sshd_config Edit the value "PermitRootLogin" and set it to "No". Save the file.

a
Login Grace Time must be securely configured in /etc/sshd_config.
Low - V-25274 - SV-38526r1_rule
RMF Control
Severity
L
CCI
Version
OSX00170 M6
Vuln IDs
  • V-25274
Rule IDs
  • SV-38526r1_rule
This setting controls the time allowed to authenticate over an ssh connection. It is recommended the value be set to 30 seconds or less. By allowing a connection to stay open for longer periods of time could allow an attacker to take advantage of the port.System AdministratorECSC-1
Checks: C-37739r1_chk

Open a terminal session and enter the following command. more /etc/sshd_config Ensure the value "LoginGraceTime" is set to 30 or less. If the value "LoginGraceTime" is not set to 30 or less, this is a finding. NOTE: If the value is set to "0", this is a finding.

Fix: F-32983r1_fix

Open a terminal session and enter the following command. sudo pico /etc/sshd_config Edit the value "LoginGraceTime" and set it to "30". Save the file.

b
/etc/sshd_config - Protocol version must be securely configured.
Medium - V-25275 - SV-37209r1_rule
RMF Control
Severity
M
CCI
Version
OSX00175 M6
Vuln IDs
  • V-25275
Rule IDs
  • SV-37209r1_rule
Restricts OpenSSH so it uses only SSH Protocol 2. This should be set for all SSH methods of authenticating. System AdministratorECSC-1
Checks: C-35900r1_chk

1. Open a terminal session and enter the following command. more /etc/sshd_config 2. Ensure the value Protocol is set to "2". If the value Protocol is not set to "2", this is a finding.

Fix: F-31158r1_fix

1. Open a terminal session and enter the following command. sudo pico /etc/sshd_config 2. Edit the value "Protocol" and set it to "2". 3. Save the file.

c
OSX00180-SSH must not allow empty passwords.
High - V-25276 - SV-40699r1_rule
RMF Control
Severity
H
CCI
Version
OSX00180 M6
Vuln IDs
  • V-25276
Rule IDs
  • SV-40699r1_rule
Denies access to accounts without passwords. This should be set for all SSH methods of authenticating.System AdministratorECSC-1
Checks: C-39426r1_chk

Open a terminal session and enter the command. more /etc/sshd_config If the value of PermitEmptyPasswords is set to Yes, this is a finding. If the PermitEmptyPasswords option is not set, this is not a finding.

Fix: F-34555r1_fix

Open a terminal session and edit the following file. /etc/sshd_config Set the value of PermitEmptyPasswords to No.

b
The MobileMe preference pane must be removed from System Preferences.
Medium - V-25278 - SV-38527r1_rule
RMF Control
Severity
M
CCI
Version
OSX00190 M6
Vuln IDs
  • V-25278
Rule IDs
  • SV-38527r1_rule
Remove the MobileMe preference pane from System Preferences. MobileMe is a suite of Internet tools capable of synchronizing data and other important information while an individual is away from the computer, sensitive environments do not use MobileMe. If critical data must be stored, only store it on a local computer. Data should only be transferred over a secure network connection to a secure internal server. If MobileMe is used, enable it only for user accounts without access to critical data. It is not recommended to enable MobileMe for administrator or root user accounts. System AdministratorECSC-1
Checks: C-37740r1_chk

Open a terminal session and navigate to the /System/Library/PreferencePanes folder. Ensure the following file does NOT exist. MobileMe.prefPane If this file exists, this is a finding.

Fix: F-32984r1_fix

Open a terminal session and enter the following command to remove the file. sudo rm -R /System/Library/PreferencePanes/MobileMe.prefPane

b
The Software Update Server URL must be assigned to an organizational value.
Medium - V-25279 - SV-38528r1_rule
RMF Control
Severity
M
CCI
Version
OSX00195 M6
Vuln IDs
  • V-25279
Rule IDs
  • SV-38528r1_rule
A computer can look for software updates on an internal software update server (SUS). Using an internal software update server reduces the amount of data transferred outside of the network. The organization can control which updates can be installed on a computer.System AdministratorVIVM-1
Checks: C-37741r1_chk

Open a terminal session and enter the following command. defaults read com.apple.SoftwareUpdate CatalogURL The value returned is the current Software Update Server. Verify it is an approved SUS. If no value is returned, the system is using a default Apple Update Server and this is a finding. NOTE: If the system is not using an authorized DoD SUS server, it should point to a null address.

Fix: F-32985r1_fix

Open a terminal session and enter the following command. defaults write com.apple.SoftwareUpdate CatalogURL 'new_SUS_URL' (Where 'new_SUS_URL' is the URL or the address of the appropriate government SUS to be used.)

b
The ability for administrative accounts to unlock screen saver must be disabled.
Medium - V-25280 - SV-37214r1_rule
RMF Control
Severity
M
CCI
Version
OSX00200 M6
Vuln IDs
  • V-25280
Rule IDs
  • SV-37214r1_rule
The default setting creates a possible point of attack, because the more users in the admin group the more dependent on those users to protect their user names and passwords. By changing the rule in “system.login.screensaver” to “authenticatesession-owner”, users of the admin group cannot unlock the screen saver.System AdministratorECPA-1, PESL-1
Checks: C-35905r1_chk

Open a terminal session and enter the following command. more /etc/authorization Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, this is a finding.

Fix: F-31163r1_fix

Open a terminal session and edit the following file. /etc/authorization Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. Save the file.

b
Setuid bit must be removed from Apple Remote Desktop.
Medium - V-25283 - SV-38223r1_rule
RMF Control
Severity
M
CCI
Version
OSX00215 M6
Vuln IDs
  • V-25283
Rule IDs
  • SV-38223r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37687r1_chk

Open a terminal session and enter the following command. ls -la /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent Verify the file permissions are set to 755 or more restrictive. If not, this is a finding.

Fix: F-32930r1_fix

Open a terminal session and enter the following command. chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

b
The setuid bit must be removed from the IPC Statistics.
Medium - V-25291 - SV-38233r1_rule
RMF Control
Severity
M
CCI
Version
OSX00255 M6
Vuln IDs
  • V-25291
Rule IDs
  • SV-38233r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37698r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/ipcs Ensure the file permissions are set to 511. If the permission is not the same or more restrictive, this is a finding.

Fix: F-32939r1_fix

Open a terminal session and enter the following command. chmod 511 /usr/bin/ipcs

b
The setuid bit from Remote Access (unsecure) must be removed.
Medium - V-25292 - SV-38235r1_rule
RMF Control
Severity
M
CCI
Version
OSX00260 M6
Vuln IDs
  • V-25292
Rule IDs
  • SV-38235r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37699r1_chk

Open a terminal session and enter the following command. ls -ld /bin/rcp Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32940r1_fix

Open a terminal session and enter the following command. chmod 555 /bin/rcp

b
The setuid bit from rlogin must be removed.
Medium - V-25293 - SV-38237r1_rule
RMF Control
Severity
M
CCI
Version
OSX00265 M6
Vuln IDs
  • V-25293
Rule IDs
  • SV-38237r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37700r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/rlogin Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32941r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/bin/rlogin

b
The setuid bit from Remote Access shell (unsecure) must be removed.
Medium - V-25294 - SV-38238r1_rule
RMF Control
Severity
M
CCI
Version
OSX00270 M6
Vuln IDs
  • V-25294
Rule IDs
  • SV-38238r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37701r1_chk

Open a terminal session and enter the following command. ls -ld /usr/bin/rsh Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32942r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/bin/rsh

b
The setuid bit from System Activity Reporting must be removed.
Medium - V-25295 - SV-38239r1_rule
RMF Control
Severity
M
CCI
Version
OSX00275 M6
Vuln IDs
  • V-25295
Rule IDs
  • SV-38239r1_rule
Because attackers try to influence or co-opt the execution of setuid programs in order to try to elevate their privileges, there is benefit in removing the setuid bit from programs that may not need it. There is also benefit in restricting to administrators the right to execute a setuid program. System AdministratorECCD-1, ECCD-2
Checks: C-37702r1_chk

Open a terminal session and enter the following command. ls -ld /usr/lib/sa/sadc Verify the file permissions are set to 555 or more restrictive. If not, this is a finding.

Fix: F-32943r1_fix

Open a terminal session and enter the following command. chmod 555 /usr/lib/sa/sadc

a
The correct date and time must be set.
Low - V-25296 - SV-38529r1_rule
RMF Control
Severity
L
CCI
Version
OSX00280 M6
Vuln IDs
  • V-25296
Rule IDs
  • SV-38529r1_rule
Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. System AdministratorECSC-1
Checks: C-37742r1_chk

1. Open System Preferences-&gt;Date&amp;Time Panel. 2. Ensure the correct date and time is set. If the date and time are not correct, this is a finding.

Fix: F-32986r1_fix

1. Open System Preferences->Date&Time Panel. 2. Set the correct date and time.

a
A secure time server must be referenced.
Low - V-25297 - SV-38530r1_rule
RMF Control
Severity
L
CCI
Version
OSX00285 M6
Vuln IDs
  • V-25297
Rule IDs
  • SV-38530r1_rule
Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. Date and time preferences can be used to set the date and time based on a Network Time Protocol (NTP) server. If you require automatic date and time, use a trusted, internal NTP server. System AdministratorECSC-1
Checks: C-37743r1_chk

1. Open System Preferences-&gt;Date &amp; Time Panel. 2. Ensure "Set date &amp; time automatically" is selected. 3. In the box for the time server, ensure the URL is entered along with either the address of a valid federal government NTP server or address of a local domain controller.

Fix: F-32987r1_fix

1. Open System Preferences> Date & Time Panel. 2. Select "Set date & time automatically". 3. In the box for the time server, type either the URL or IP address of a valid federal government NTP server or local domain controller.

b
The Auto Update feature must be disabled.
Medium - V-25298 - SV-38531r1_rule
RMF Control
Severity
M
CCI
Version
OSX00290 M6
Vuln IDs
  • V-25298
Rule IDs
  • SV-38531r1_rule
By disabling automatic updates, updates can be downloaded and tested in a non production environment before they are distributed to the production workstations. This reduces the risk of accidental or malicious software updates being applied before they are properly tested.System AdministratorECSC-1
Checks: C-37744r1_chk

Open a terminal session and enter the following command. softwareupdate --schedule Verify "Automatic check" is off. If the option is not off, this is a finding.

Fix: F-32988r1_fix

Open a terminal session and enter the following command to disable the auto update feature. softwareupdate --schedule off

b
The guest account must be disabled.
Medium - V-25299 - SV-37218r1_rule
RMF Control
Severity
M
CCI
Version
OSX00295 M6
Vuln IDs
  • V-25299
Rule IDs
  • SV-37218r1_rule
The guest account is used to give a user temporary access to a computer. The guest account should be disabled by default because it does not require a password to login on the computer. If this account is enabled and is not securely configured malicious users can gain access to a computer without the use of a password. System AdministratorIAAC-1
Checks: C-35907r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow guests to login to this computer" option is unchecked. If the option is checked, this is a finding.

Fix: F-31165r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow guests to login to this computer".

b
Shared folders must be disabled.
Medium - V-25300 - SV-37219r1_rule
RMF Control
Severity
M
CCI
Version
OSX00300 M6
Vuln IDs
  • V-25300
Rule IDs
  • SV-37219r1_rule
Whether or not the guest account itself is enabled, disable guest account access to shared files and folders by deselecting the “Allow guest to connect to shared folders” checkbox. If the guest account is permitted to access shared folders, an attacker can easily attempt to access shared folders without a password.System AdministratorECAN-1, ECSC-1
Checks: C-35908r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Click on Guest Account. 3. Ensure "Allow Guests to connect to shared folders" option is unchecked. If the option is checked, this is a finding.

Fix: F-31166r1_fix

1. Open System Preferences->Accounts Panel. 2. Click on Guest Account. 3. Deselect "Allow Guests to connect to shared folders".

b
Login window must be properly configured.
Medium - V-25302 - SV-37221r1_rule
RMF Control
Severity
M
CCI
Version
OSX00310 M6
Vuln IDs
  • V-25302
Rule IDs
  • SV-37221r1_rule
If not properly configured, the logon screen provides a list of local user names available for logon. A user could use this information to attempt to login as a different user. System AdministratorECSC-1
Checks: C-35910r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Select Login Options. 3. Ensure "Display login window as:" is set to "Name &amp; password". If the option is not set to "Name &amp; Password", this is a finding.

Fix: F-31168r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Set "Display login window as:" to 'Name & password'.

c
Input menu must not be shown in login window.
High - V-25304 - SV-37225r1_rule
RMF Control
Severity
H
CCI
Version
OSX00320 M6
Vuln IDs
  • V-25304
Rule IDs
  • SV-37225r1_rule
Showing input in the login window could compromise the integrity of the information, and could also allow someone shoulder surfing to gain unauthorized access to the system.System AdministratorIAAC-1
Checks: C-35915r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Select Login Options. 3. Ensure the "Show input menu in login window" is not checked. If the option is checked, this is a finding.

Fix: F-31172r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Show input menu in login window" to disable this option.

c
The system must be configured to not show password hints.
High - V-25305 - SV-37226r1_rule
RMF Control
Severity
H
CCI
Version
OSX00325 M6
Vuln IDs
  • V-25305
Rule IDs
  • SV-37226r1_rule
Providing information in the password hint field could compromise the integrity of the password. Showing password hint could allow someone shoulder surfing to gain information leading to unauthorized access to the system. System AdministratorIAAC-1
Checks: C-35916r1_chk

1. Open System Preferences-&gt;Accounts Panel. 2. Select Login Options. 3. Ensure the "Show password hints" is not checked. If the option is checked, this is a finding.

Fix: F-31173r1_fix

1. Open System Preferences->Accounts Panel. 2. Select Login Options. 3. Deselect "Show password hints" to disable this option.

b
Fast User Switching must be disabled.
Medium - V-25306 - SV-37229r1_rule
RMF Control
Severity
M
CCI
Version
OSX00330 M6
Vuln IDs
  • V-25306
Rule IDs
  • SV-37229r1_rule
Fast User Switching allows multiple users to log in simultaneously. This makes it difficult to track user actions and allows users to run malicious applications in the background while another user is using the computer.System AdministratorIAAC-1
Checks: C-35919r1_chk

Open System Preferences-&gt;Accounts Panel. Select Login Options. Ensure the "Show fast user switching menu as" is not checked. If the option is checked, this is a finding.

Fix: F-31176r1_fix

Open System Preferences->Accounts Panel. Select Login Options. Deselect "Show fast user switching menu as" to disable this option.

c
The password-related hint field must not be used.
High - V-25307 - SV-38532r1_rule
RMF Control
Severity
H
CCI
Version
OSX00335 M6
Vuln IDs
  • V-25307
Rule IDs
  • SV-38532r1_rule
If a hint is provided, the user is presented with the hint after three failed authentication attempts. Password-related information provided in the field could compromise the integrity of the password. Adding contact information for your organization’s technical support is convenient and does not compromise password integrity.System AdministratorIAAC-1
Checks: C-37745r1_chk

1. Open System Preferences-&gt;Accounts Panel, for each account. 2. Click 'reset password' (Change Password for current user). 3. Ensure no data exists in the password hints field. 4. Click Cancel. If any accounts have hints data, this is a finding. NOTE: The password hints field may include contact information for the organization's technical support.

Fix: F-32989r1_fix

1. Open System Preferences -> Accounts Panel, for each account. 2. Click 'reset password' (Change Password for current user). 3. Remove any data in the password hints field. NOTE: The password hints field may include contact information for the organization's technical support.

c
Automatic actions must be disabled for blank CDs.
High - V-25308 - SV-37230r1_rule
RMF Control
Severity
H
CCI
Version
OSX00340 M6
Vuln IDs
  • V-25308
Rule IDs
  • SV-37230r1_rule
To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
Checks: C-35920r1_chk

Open a terminal session and enter the following command. defaults read /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict If the action is not set to "1", this is a finding.

Fix: F-31177r1_fix

Open a terminal session and enter the following command. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1

c
Automatic actions must be disabled for music CDs.
High - V-25309 - SV-37231r1_rule
RMF Control
Severity
H
CCI
Version
OSX00345
Vuln IDs
  • V-25309
Rule IDs
  • SV-37231r1_rule
To secure CDs and DVDs (music), do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
Checks: C-35921r1_chk

Open System Preferences - &gt; CDs and DVDs. Ensure "When you insert a music CD" is set to "Ignore". If the option is not set to "Ignore", this is a finding.

Fix: F-31179r1_fix

Open System Preferences - > CDs and DVDs. Set "When you insert a music CD" to "Ignore".

c
Automatic actions must be disabled for picture CDs.
High - V-25310 - SV-37235r1_rule
RMF Control
Severity
H
CCI
Version
OSX00350 M6
Vuln IDs
  • V-25310
Rule IDs
  • SV-37235r1_rule
To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
Checks: C-35924r1_chk

Open System Preferences - &gt; CDs and DVDs. Ensure "When you insert a picture CD" is set to "Ignore". If the option is not set to "Ignore", this is a finding.

Fix: F-31182r1_fix

Open System Preferences - > CDs and DVDs. Set "When you insert a picture CD" to "Ignore".

c
Automatic actions must be disabled for video DVDs.
High - V-25311 - SV-37236r1_rule
RMF Control
Severity
H
CCI
Version
OSX00355 M6
Vuln IDs
  • V-25311
Rule IDs
  • SV-37236r1_rule
To secure CDs and DVDs, do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECSC-1
Checks: C-35925r1_chk

Open System Preferences - &gt; CDs and DVDs. Ensure "When you insert a video DVD" is set to "Ignore". If the option is not set to "Ignore", this is a finding.

Fix: F-31183r1_fix

Open System Preferences - > CDs and DVDs. Set "When you insert a video DVD" to "Ignore".

b
System must have a password-protected screen saver configured to DoD requirements.
Medium - V-25312 - SV-38533r1_rule
RMF Control
Severity
M
CCI
Version
OSX00360 M6
Vuln IDs
  • V-25312
Rule IDs
  • SV-38533r1_rule
User needs to configure a password-protected screen saver to prevent unauthorized users from accessing unattended computers. A short inactivity interval should also be set to decrease the amount of time the unattended computer is unlocked. System AdministratorPESL-1
Checks: C-37746r1_chk

Open System Preferences-&gt;Desktop &amp; Screen Saver. Select the screen saver tab. Ensure the "Start screen saver" slider is set to 15 minutes or less. If not, this is a finding.

Fix: F-32990r1_fix

Open System Preferences->Desktop & Screen Saver. Select the screen saver tab. Set the "Start screen saver" slider to 15 minutes or less.

b
The ability to use corners to disable the screen saver must be disabled.
Medium - V-25317 - SV-37242r1_rule
RMF Control
Severity
M
CCI
Version
OSX00375 M6
Vuln IDs
  • V-25317
Rule IDs
  • SV-37242r1_rule
A computer should require authentication when waking from sleep or screen saver. Exposé & Spaces preferences can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen. Do not configure a corner to disable the screen saver.System AdministratorPESL-1
Checks: C-35934r1_chk

Open System Preferences-&gt;Exposé &amp; Spaces, Exposé pane. Ensure no corners are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account. If any account is set to disable screen savers via corners, this is a finding. NOTE: Do this for each user on the system.

Fix: F-31189r1_fix

Open System Preferences->Exposé & Spaces, Exposé pane. Remove any corners which are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account.

b
Bluetooth devices must not be allowed to wake the computer.
Medium - V-25318 - SV-38535r1_rule
RMF Control
Severity
M
CCI
Version
OSX00380 M6
Vuln IDs
  • V-25318
Rule IDs
  • SV-38535r1_rule
If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer. System AdministratorECSC-1
Checks: C-37748r1_chk

Open System Preferences -&gt; Bluetooth. Click Advanced. Ensure "Allow Bluetooth devices to wake this computer" is not checked. If the option is checked, this is a finding.

Fix: F-32992r1_fix

Open System Preferences -> Bluetooth. Click Advanced. Deselect "Allow Bluetooth devices to wake this computer".

b
Unused hardware devices must be disabled for AirPort.
Medium - V-25320 - SV-37245r1_rule
RMF Control
Severity
M
CCI
Version
OSX00385 M6
Vuln IDs
  • V-25320
Rule IDs
  • SV-37245r1_rule
It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
Checks: C-35935r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select AirPort. Ensure the "Status" is set to "Off". If the service is not set to off or removed, this is a finding.

Fix: F-31191r1_fix

Open System Preferences - > Network. From the list of hardware devices, select AirPort. Set this service to "Off" by clicking the gear sign and selecting "Turn service off". Remove service if required by site requirements by clicking the minus sign.

b
Unused hardware devices must be disabled for Bluetooth.
Medium - V-25321 - SV-38536r1_rule
RMF Control
Severity
M
CCI
Version
OSX00390 M6
Vuln IDs
  • V-25321
Rule IDs
  • SV-38536r1_rule
It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
Checks: C-37749r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select Bluetooth. Ensure the "Status" is set to "Inactive". If the service is not inactive or removed, this is a finding.

Fix: F-32993r1_fix

Open System Preferences - > Network. From the list of hardware devices, select Bluetooth. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose "Manually".)

b
Unused hardware devices must be disabled for Firewire.
Medium - V-25323 - SV-38538r1_rule
RMF Control
Severity
M
CCI
Version
OSX00395 M6
Vuln IDs
  • V-25323
Rule IDs
  • SV-38538r1_rule
It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices (Firewire) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
Checks: C-37750r1_chk

Open System Preferences - &gt; Network. From the list of hardware devices, select Firewire. Ensure the "Status" is set to "Inactive". If the service is not set to inactive or removed, this is a finding.

Fix: F-32994r1_fix

Open System Preferences - > Network. From the list of hardware devices, select Firewire. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. (From the "Configure" pop-up menu, choose "Manually".)

b
System Preferences must be securely configured so IPv6 is turned off if not being used.
Medium - V-25324 - SV-37247r1_rule
RMF Control
Severity
M
CCI
Version
OSX00400 M6
Vuln IDs
  • V-25324
Rule IDs
  • SV-37247r1_rule
It is recommended to disable unused hardware devices listed in Network preferences. Enabled, unused devices are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.System AdministratorECSC-1
Checks: C-35937r1_chk

Open System Preferences - &gt; Network. Click Advanced. Click the TCP/IP tab. Ensure "Configure IPv6" is set to "Off". If the option is not set to "Off", this is a finding. NOTE: This must be checked on all network interfaces.

Fix: F-31194r1_fix

Open System Preferences - > Network. Click Advanced. Click the TCP/IP tab and set "Configure IPv6" to "Off", if not actively being used. NOTE: This must be disabled on each network interface.

b
A password must be required to wake a computer from sleep or screen saver.
Medium - V-25328 - SV-38560r1_rule
RMF Control
Severity
M
CCI
Version
OSX00420 M6
Vuln IDs
  • V-25328
Rule IDs
  • SV-38560r1_rule
Require a password to wake a computer from sleep or screen saver. This helps prevent unauthorized access on unattended computers. Although there is a lock button for Security references, users do not need to be authorized as an administrator to make changes. Enable this password requirement for every user account on the computer.System AdministratorPESL-1
Checks: C-37755r1_chk

Open a terminal session and enter the following command. defaults -currentHost read com.apple.screensaver askForPassword -int If the action value is not set to "1", this is a finding.

Fix: F-32998r1_fix

Open a terminal session and enter the following command. defaults -currentHost write com.apple.screensaver askForPassword -int 1

c
Automatic login must be disabled.
High - V-25329 - SV-37251r1_rule
RMF Control
Severity
H
CCI
Version
OSX00425 M6
Vuln IDs
  • V-25329
Rule IDs
  • SV-37251r1_rule
Disabling automatic login is necessary for any level of security. If automatic login is enabled, an intruder can log in without authenticating. Even automatically logging in with a restricted user account, it is still easier to perform malicious actions on the computer.System AdministratorIAAC-1
Checks: C-35942r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Disable automatic login" option is checked. If option is not checked, this is a finding.

Fix: F-31198r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable automatic login".

b
A password must be required to unlock each System Preference Pane.
Medium - V-25330 - SV-37254r1_rule
RMF Control
Severity
M
CCI
Version
OSX00430 M6
Vuln IDs
  • V-25330
Rule IDs
  • SV-37254r1_rule
Some system preferences are unlocked when logged in with an administrator account. By requiring a password, digital token, smart card, or biometric reader to unlock secure system preferences, this requires extra authentication. System AdministratorECSC-1
Checks: C-35945r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Require password to unlock each System Preferences Pane" is checked. If option is not checked, this is a finding.

Fix: F-31201r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Require password to unlock each System Preferences Pane".

a
Automatic logout due to inactivity must be disabled.
Low - V-25331 - SV-37262r1_rule
RMF Control
Severity
L
CCI
Version
OSX00435 M6
Vuln IDs
  • V-25331
Rule IDs
  • SV-37262r1_rule
Although some might want to enable automatic logout based on inactivity, there are reasons why this feature should be disabled. First, it can disrupt workflow. Second, it can close applications or processes without approval (but a password-protected screen saver will not close applications). Third, because automatic logout can be interrupted, it provides a false sense of security. System AdministratorECSC-1
Checks: C-35952r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Log out after x minutes of inactivity" is not checked. If it is checked, this is a finding.

Fix: F-31208r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Deselect "Log out after x minutes of inactivity".

b
Secure virtual memory must be used.
Medium - V-25332 - SV-37263r1_rule
RMF Control
Severity
M
CCI
Version
OSX00440 M6
Vuln IDs
  • V-25332
Rule IDs
  • SV-37263r1_rule
Use secure virtual memory. The system’s virtual memory swap file stores inactive physical memory contents, freeing physical memory. By default on some systems, the swap file is unencrypted. This file can contain confidential data, such as documents and passwords. Using secure virtual memory will secure the swap file at a cost of slightly slower speed (because Mac OS X must encrypt and decrypt the secure swap file).System AdministratorECRC-1
Checks: C-35955r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Use Secure Virtual Memory" is checked. If option is not checked, this is a finding.

Fix: F-31209r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Use Secure Virtual Memory".

b
Remote control infrared receiver must be disabled.
Medium - V-25333 - SV-38561r1_rule
RMF Control
Severity
M
CCI
Version
OSX00445 M6
Vuln IDs
  • V-25333
Rule IDs
  • SV-38561r1_rule
If not using a remote control, disable the infrared receiver. This prevents unauthorized users from controlling a computer through the infrared receiver.System AdministratorECSC-1
Checks: C-37756r1_chk

1. Open System Preferences-&gt;Security. 2. Select General tab. 3. Ensure "Disable remote control infrared receiver" is checked. If the option is not checked, this is a finding.

Fix: F-32999r1_fix

1. Open System Preferences->Security. 2. Select General tab. 3. Select "Disable remote control infrared receiver".

b
Only essential services must be allowed through firewall.
Medium - V-25335 - SV-38563r1_rule
RMF Control
Severity
M
CCI
Version
OSX00455 M6
Vuln IDs
  • V-25335
Rule IDs
  • SV-38563r1_rule
Allowing only essential services through the firewall alleviates the potential for unwanted services to run on the system, and cuts down on system usage. System AdministratorECND-1
Checks: C-37758r1_chk

Open System Preferences-&gt;Security. Select Firewall tab. Select Advanced (firewall should be started). Either "Block all incoming connections" should be checked or only essential services and applications should be allowed. If not, this is a finding.

Fix: F-33002r1_fix

Open System Preferences -> Security. Select Firewall tab. Select the Advanced button. Check "Block all incoming connections" or remove any non-essential services and applications.

b
Stealth Mode must be enabled on the firewall.
Medium - V-25337 - SV-37266r1_rule
RMF Control
Severity
M
CCI
Version
OSX00465 M6
Vuln IDs
  • V-25337
Rule IDs
  • SV-37266r1_rule
Enable Stealth Mode to prevent the computer from sending responses to uninvited traffic. System AdministratorECSC-1
Checks: C-35957r1_chk

Open a terminal session and enter the following command. sudo ipfw print If no line contains "deny icmp from any to me in icmptypes 8" or a more restrictive rule, this is a finding.

Fix: F-31212r1_fix

Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.freebsd.ipfw</string> <key>Program</key> <string>/sbin/ipfw</string> <key>ProgramArguments</key> <array> <string>/sbin/ipfw</string> <string>/etc/ipfw.conf</string> </array> <key>RunAtLoad</key> <true /> </dict> </plist> Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number). Add 20 deny icmp from any to me in icmptypes 8

b
DVD or CD Sharing must be disabled.
Medium - V-25338 - SV-37268r1_rule
RMF Control
Severity
M
CCI
Version
OSX00470 M6
Vuln IDs
  • V-25338
Rule IDs
  • SV-37268r1_rule
DVD or CD sharing must be disabled because it allows users of other computers to remotely use the DVD or CD drive on a computer. System AdministratorECCD-1
Checks: C-35958r1_chk

Open System Preferences-&gt;Sharing. Ensure "DVD or CD Sharing" service does not have the "On" box checked. If the box is checked, this is a finding.

Fix: F-31214r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "DVD or CD Sharing" service.

b
Screen Sharing must be disabled.
Medium - V-25339 - SV-37273r1_rule
RMF Control
Severity
M
CCI
Version
OSX00475 M6
Vuln IDs
  • V-25339
Rule IDs
  • SV-37273r1_rule
Screen sharing must be disabled because it allows users of other computers to remotely view and control the computer. System AdministratorECCD-1
Checks: C-35961r1_chk

Open System Preferences-&gt;Sharing. Ensure "Screen Sharing" service does not have the "On" box checked. If the box is checked, this is a finding.

Fix: F-31217r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Screen Sharing" service.

b
File Sharing must be disabled.
Medium - V-25340 - SV-37274r1_rule
RMF Control
Severity
M
CCI
Version
OSX00480 M6
Vuln IDs
  • V-25340
Rule IDs
  • SV-37274r1_rule
File sharing must be disabled because it gives users of other computers access to each user’s Public folder.System AdministratorECCD-1
Checks: C-35966r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "File Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31222r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "File Sharing" service.

b
Printer Sharing must be disabled.
Medium - V-25341 - SV-37278r1_rule
RMF Control
Severity
M
CCI
Version
OSX00485 M6
Vuln IDs
  • V-25341
Rule IDs
  • SV-37278r1_rule
Printer sharing must be disabled because it allows other computers to access a printer connected to the computer.System AdministratorECCD-1
Checks: C-35969r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Printer Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31224r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Printer Sharing" service.

b
Web Sharing must be disabled.
Medium - V-25342 - SV-37282r1_rule
RMF Control
Severity
M
CCI
Version
OSX00490 M6
Vuln IDs
  • V-25342
Rule IDs
  • SV-37282r1_rule
Web Sharing must be disabled because it allows a network user to view websites located in /Sites. System AdministratorECCD-1
Checks: C-35973r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On'" box for "Web Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31228r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Web Sharing" service.

b
Remote Login must be disabled.
Medium - V-25343 - SV-37284r1_rule
RMF Control
Severity
M
CCI
Version
OSX00495 M6
Vuln IDs
  • V-25343
Rule IDs
  • SV-37284r1_rule
Remote Login must be disabled because it allows users to access the computer remotely.System AdministratorECCD-1
Checks: C-35976r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Remote Login" service is not checked. If the box is checked, this is a finding.

Fix: F-31230r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Remote Login" service.

b
Apple Remote Desktop must be disabled.
Medium - V-25346 - SV-37288r1_rule
RMF Control
Severity
M
CCI
Version
OSX00500 M6
Vuln IDs
  • V-25346
Rule IDs
  • SV-37288r1_rule
Apple Remote Desktop must be disabled because it allows the computer to be accessed using Apple Remote Desktop.System AdministratorECCD-1
Checks: C-35982r1_chk

Open System Preferences-&gt;Sharing. Ensure the "On" box for "Remote Management" service is not checked. If the box is checked, this is a finding.

Fix: F-31236r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Remote Management" service.

b
Remote Apple Events must be disabled.
Medium - V-25348 - SV-37290r1_rule
RMF Control
Severity
M
CCI
Version
OSX00505 M6
Vuln IDs
  • V-25348
Rule IDs
  • SV-37290r1_rule
Remote Apple Events must be disabled because it allows the computer to receive Apple events from other computers.System AdministratorECCD-1
Checks: C-35984r1_chk

Open System Preferences-&gt;Sharing. Ensure the "On" box for "Remote Apple Events" service is not checked. If the box is checked, this is a finding.

Fix: F-31238r1_fix

Open System Preferences->Sharing. Uncheck the "On" box for "Remote Apple Events" service.

b
Xgrid Sharing must be disabled.
Medium - V-25349 - SV-37293r1_rule
RMF Control
Severity
M
CCI
Version
OSX00510 M6
Vuln IDs
  • V-25349
Rule IDs
  • SV-37293r1_rule
Xgrid Sharing must be disabled because it allows computers on a network to work together in a grid to process a job.System AdministratorECCD-1
Checks: C-35989r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Xgrid Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31241r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Xgrid Sharing" service.

b
Internet Sharing must be disabled.
Medium - V-25350 - SV-37296r1_rule
RMF Control
Severity
M
CCI
Version
OSX00515 M6
Vuln IDs
  • V-25350
Rule IDs
  • SV-37296r1_rule
Internet Sharing must be disabled because it allows other users to connect with computers on your local network, through your internet connection.System AdministratorECCD-1
Checks: C-35990r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Internet Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31244r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Internet Sharing" service.

b
Bluetooth Sharing must be disabled.
Medium - V-25351 - SV-37299r1_rule
RMF Control
Severity
M
CCI
Version
OSX00520 M6
Vuln IDs
  • V-25351
Rule IDs
  • SV-37299r1_rule
Bluetooth Sharing must be disabled because it allows other Bluetooth-enabled computers and devices to share files with your computer.System AdministratorECCD-1, ECWN-1
Checks: C-35994r1_chk

1. Open System Preferences-&gt;Sharing. 2. Ensure the "On" box for "Bluetooth Sharing" service is not checked. If the box is checked, this is a finding.

Fix: F-31247r1_fix

1. Open System Preferences->Sharing. 2. Uncheck the "On" box for "Bluetooth Sharing" service.

b
Mail must be configured using SSL.
Medium - V-25354 - SV-38567r1_rule
RMF Control
Severity
M
CCI
Version
OSX00525 M6
Vuln IDs
  • V-25354
Rule IDs
  • SV-38567r1_rule
When setting up user mail accounts, select "use SSL" in advanced options. This setting is for the Mail app included with OS X. Instructions will be different for other mail applications, but all mail applications should be set up secured using some form of encryption. System AdministratorECCT-1, ECCT-2
Checks: C-37761r1_chk

NOTE: If you are not using the Mac Mail Application, this check does not apply. Choose Mail &gt; Preferences, and then click Accounts. Select an account, and then click Advanced. Ensure "Use SSL" is selected. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). If not, this is a finding. Click Account Information. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. From the server list, select the outgoing mail server, and then click Advanced. Ensure Secure Socket Layer (SSL) is selected. From the Authentication pop-up menu, ensure an authentication method is selected (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). If not, this is a finding.

Fix: F-33005r1_fix

Choose Mail > Preferences, Click Accounts. Select an account, Click Advanced. Select "Use SSL". From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). Click Account Information. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit Server List. From the server list, select your outgoing mail server and then click Advanced. Select "Secure Socket Layer (SSL)". From the Authentication pop-up menu, select authentication method (e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 (GSSAPI), or Authenticated POP (APOP)). Close the preferences window, and then click "Save" in the message that appears.

a
iTunes Store must be disabled.
Low - V-25355 - SV-37301r1_rule
RMF Control
Severity
L
CCI
Version
OSX00530 M6
Vuln IDs
  • V-25355
Rule IDs
  • SV-37301r1_rule
iTunes store allows a user to purchase and download music, videos, and podcasts, which could inadvertently introduce malware on the system. NOTE: The fix must be performed for each user.System AdministratorECSC-1
Checks: C-35996r1_chk

Open iTunes. Choose iTunes -&gt; Preferences. Choose the "Parental" tab. In the "Disable:" section, ensure the following items are checked. "Podcasts" "Radio streaming" "iTunes Store" "Allow Access to iTunesU" "Ping" (if it exists) "Shared Libraries" If not, this is a finding.

Fix: F-28280r2_fix

Open Finder. Select Applications. Double click the iTunes application. On the top menu bar click iTunes and from the drop down menu select Preferences. Click on the Parental icon. Check the following items to disable. "Podcasts" "Radio streaming" "iTunes Store" "Allow Access to iTunesU" "Ping" (if it exists) "Shared Libraries" NOTE: This must be performed for each user.

a
Finder must be set to always empty Trash securely.
Low - V-25356 - SV-37303r1_rule
RMF Control
Severity
L
CCI
Version
OSX00535 M6
Vuln IDs
  • V-25356
Rule IDs
  • SV-37303r1_rule
In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.System AdministratorECRC-1
Checks: C-35998r1_chk

1. Open Finder-&gt; Preferences -&gt; Advanced. 2. Ensure "Empty Trash Securely" is checked. If the option is not checked, this is a finding. This must be done for each user on the system.

Fix: F-31251r1_fix

1. Open Finder-> Preferences -> Advanced. 2. Select "Empty Trash Securely". This must be done for each user on the system.

b
iDisk must be removed from Finder sidebar.
Medium - V-25358 - SV-37308r1_rule
RMF Control
Severity
M
CCI
Version
OSX00540 M6
Vuln IDs
  • V-25358
Rule IDs
  • SV-37308r1_rule
iDisk data is stored on Internet servers and is protected by MobileMe account. However, if MobileMe account is accessed by an unauthorized user, data can be compromised. Do not store sensitive data on iDisk. Keep sensitive data local and encrypted on a computer.System AdministratorECRC-1
Checks: C-36002r1_chk

1. Open Finder &gt; Preferences &gt; Sidebar. 2. Ensure the iDisk icon is not selected. If the option is selected, this is a finding. This must be done for each user on the system.

Fix: F-31254r1_fix

1. Open Finder -> Preferences -> Sidebar. 2. De-select the iDisk icon. This must be done for each user on the system.

c
The root account must be disabled.
High - V-25371 - SV-38568r1_rule
RMF Control
Severity
H
CCI
Version
OSX00655 M6
Vuln IDs
  • V-25371
Rule IDs
  • SV-38568r1_rule
The most powerful user account in Mac OS X is the system administrator or root account. By default, the root account on Mac OS X is disabled and it is recommended to not enable it. The root account is primarily used for performing UNIX commands. Generally, actions involving critical system files require performing those actions as root.System AdministratorIAAC-1
Checks: C-37762r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Lock and enter the password to unlock the options. Click the Edit menu (Directory Utility bar on top) and verify that "Enable Root User" appears. If the "Disable Root User" option is visible, this is a finding.

Fix: F-33006r1_fix

Open Finder Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Lock and enter the password to unlock the options. Click the Edit menu (Directory Utility bar on top). Click Disable Root User.

b
Physical security of the system must meet DoD requirements.
Medium - V-25372 - SV-38583r1_rule
RMF Control
Severity
M
CCI
Version
OSX00660 M6
Vuln IDs
  • V-25372
Rule IDs
  • SV-38583r1_rule
Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. Physical security of the Automated Information System (AIS) must meet DoD requirements. System AdministratorPECF-2
Checks: C-37772r1_chk

Interview the SA to determine if equipment is located in a controlled access area.

Fix: F-33018r1_fix

Relocate equipment to a controlled access area.

b
Shared User Accounts must be disabled.
Medium - V-25373 - SV-37313r1_rule
RMF Control
Severity
M
CCI
Version
OSX00665 M6
Vuln IDs
  • V-25373
Rule IDs
  • SV-37313r1_rule
Shared accounts do not provide individual accountability for system access and resource usage. Shared user accounts are not permitted on the system. System AdministratorIAGA-1
Checks: C-36006r1_chk

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account (which provides no individual identification and accountability) is mitigated. NOTE: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if the machine is stand-alone and has no access to the network.

Fix: F-31258r1_fix

Remove any shared accounts not meeting the exception requirements listed.

b
The Operating System must be current and at the latest release level.
Medium - V-25374 - SV-38569r1_rule
RMF Control
Severity
M
CCI
Version
OSX00670 M6
Vuln IDs
  • V-25374
Rule IDs
  • SV-38569r1_rule
Failure to install the most current Operating System (OS) updates leaves a system vulnerable to exploitation. Current OS updates and patches correct known security and system vulnerabilities. If an OS is not at a supported level this will be upgraded to a Category I finding.If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.System AdministratorVIVM-1
Checks: C-37763r1_chk

Open a terminal session and enter one of the following commands. sudo softwareupdate --list OR sudo softwareupdate --list --all Review the results and verify the system is at the current release level. If not, this is a finding.

Fix: F-33007r1_fix

Install the current OS updates and patches.

a
System Recovery Backup procedures must be configured to comply with DoD requirements.
Low - V-25375 - SV-37320r1_rule
RMF Control
Severity
L
CCI
Version
OSX00675 M6
Vuln IDs
  • V-25375
Rule IDs
  • SV-37320r1_rule
Recovery of a damaged or compromised system in a timely basis is difficult without a system information backup. A system backup will usually include sensitive information, such as user accounts that could be used in an attack. As a valuable system resource, the system backup should be protected and stored in a physically secure location.System AdministratorCODB-1
Checks: C-36010r1_chk

Interview the SA to determine if system recovery backup procedures are in place complying with DoD requirements. Any of the following would be a finding: • The site does not maintain emergency system recovery data. • The emergency system recovery data is not protected from destruction and stored in a locked storage container. • The emergency system recovery data has not been updated following the last system modification.

Fix: F-31261r1_fix

Implement data backup procedures complying with DoD requirements.

b
An Emergency Administrator Account must be created.
Medium - V-25376 - SV-37322r1_rule
RMF Control
Severity
M
CCI
Version
OSX00685 M6
Vuln IDs
  • V-25376
Rule IDs
  • SV-37322r1_rule
This check verifies an emergency administrator account has been created to ensure system availability in the event no administrators are able or available to access the system.System AdministratorECPA-1
Checks: C-36014r1_chk

Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location.

Fix: F-28299r2_fix

Create and maintain an emergency administrator account for emergency situations.

b
Default and Emergency Administrator passwords must be changed when necessary.
Medium - V-25377 - SV-37325r1_rule
RMF Control
Severity
M
CCI
Version
OSX00690 M6
Vuln IDs
  • V-25377
Rule IDs
  • SV-37325r1_rule
This check verifies the passwords for the default and emergency administrator accounts are changed at least annually or when any member of the administrative team leaves the organization.System AdministratorECPA-1
Checks: C-36017r1_chk

Interview the SA or IAM to determine if the site has a policy requiring the default and backup administrator passwords to be changed at least annually or when any member of the administrative team leaves the organization.

Fix: F-31266r1_fix

Define a policy for required password changes for the default and backup administrator account.

b
Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization.
Medium - V-25378 - SV-37329r1_rule
RMF Control
Severity
M
CCI
Version
OSX00695 M6
Vuln IDs
  • V-25378
Rule IDs
  • SV-37329r1_rule
Setting application accounts to expire may cause applications to stop functioning. The site will have a policy for application account passwords manually generated and entered by a system administrator to be changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords.System AdministratorECPA-1
Checks: C-36020r1_chk

The site should have a local policy ensuring passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.

Fix: F-31269r1_fix

Create application/service account passwords at least 15 characters in length and meet complexity requirements. Change of application/service account passwords are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.

b
Automatic Screen Saver initiation must be enabled when smart card is removed from machine.
Medium - V-25379 - SV-38572r1_rule
RMF Control
Severity
M
CCI
Version
OSX00700 M6
Vuln IDs
  • V-25379
Rule IDs
  • SV-38572r1_rule
When using a smart card for authentication the system must be configured to automatically lock the system when the smart card is removed.System AdministratorECSC-1
Checks: C-37765r1_chk

Open System Preferences. Click the Security Icon. Click the General Tab. Ensure "Activate screen saver when login token is removed" option is selected. If the option is not selected, this is a finding. NOTE: If you are not using a smart card application, this check does not apply. NOTE: This configuration option is still available if a smart card application is not installed.

Fix: F-33010r1_fix

Open System Preferences. Click the Security Icon. Click the General Tab. Select "Activate screen saver when login token is removed".

b
Access to audit configuration files must be restricted.
Medium - V-25380 - SV-38570r1_rule
RMF Control
Severity
M
CCI
Version
OSX00680 M6
Vuln IDs
  • V-25380
Rule IDs
  • SV-38570r1_rule
Audit configuration files are susceptible to unauthorized, and possibly anonymous, tampering if proper permissions are not applied. System AdministratorECTP-1
Checks: C-37764r1_chk

Open a terminal session and enter the following command to view the permissions on the audit control files. ls -lL /etc/security If any audit control file has a permission less restricted than 555, this is a finding.

Fix: F-33008r1_fix

Open a terminal session and enter the following command to set the file permissions. chmod 555 /etc/security/ <audit control file>

b
Spotlight Panel must be securely configured.
Medium - V-25413 - SV-37331r1_rule
RMF Control
Severity
M
CCI
Version
OSX00705 M6
Vuln IDs
  • V-25413
Rule IDs
  • SV-37331r1_rule
Spotlight can be used to search a computer for files. Spotlight searches the name, the meta-information associated with each file, and the contents of each file. Spotlight finds files regardless of their placement in the file system. This still must be properly set access permissions on folders containing confidential files.System AdministratorECCD-1
Checks: C-36023r1_chk

To securely configure Spotlight preferences: Open System Preferences. Click the Spotlight Icon. In the Search Results pane, verify the categories not wanted as searchable by Spotlight are unchecked. Click the Privacy pane. Verify the correct folders and disks are in the Privacy pane; these are not searchable by Spotlight. If searchable categories or folders are found that should not be searchable, this is a finding.

Fix: F-28370r2_fix

To securely configure Spotlight preferences: Open System Preferences. Click the Spotlight Icon. In the Search Results pane, deselect categories not wanted searchable by Spotlight. Click the Privacy pane. Click the Add button or drag a folder or disk into the Privacy pane. Folders and disks in the Privacy pane are now not searchable by Spotlight.

c
Clear text passwords for all LDAPv3 directories must be disabled.
High - V-25557 - SV-38573r1_rule
RMF Control
Severity
H
CCI
Version
OSX00121 M6
Vuln IDs
  • V-25557
Rule IDs
  • SV-38573r1_rule
Allowing passwords to be transmitted over the network in clear text could allow an attacker to monitor the network and capture the password packets. This clear text function must be disabled when accessing LDAPv3 directories.System AdministratorECCT-1, ECCT-2
Checks: C-37766r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and verify the "Disable clear text passwords" is checked. If the value is not checked, this is a finding.

Fix: F-33011r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Security tab and select "Disable clear text passwords".

b
All LDAPv3 packets must be digitally signed.
Medium - V-25559 - SV-38575r1_rule
RMF Control
Severity
M
CCI
Version
OSX00122 M6
Vuln IDs
  • V-25559
Rule IDs
  • SV-38575r1_rule
To protect the data between the client and LDAPv3 directory the traffic should be digitally signed.System AdministratorECCT-1, ECCT-2
Checks: C-37767r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and verify the "Digitally sign all packets (requires Kerberos) " is checked. If the value is not checked, this is a finding.

Fix: F-33012r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and select "Digitally sign all packets (requires Kerberos)".

b
All LDAPv3 packets must be encrypted.
Medium - V-25561 - SV-38577r1_rule
RMF Control
Severity
M
CCI
Version
OSX00123 M6
Vuln IDs
  • V-25561
Rule IDs
  • SV-38577r1_rule
All traffic between the client and the LDAPv3 should be encrypted to ensure confidentiality of data.System AdministratorECCT-1, ECCT-2
Checks: C-37768r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and verify the "Encrypt all packets (requires SSL or Kerberos) " is checked. If the value is not checked, this is a finding.

Fix: F-33013r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and select "Encrypt all packets (requires SSL or Kerberos)".

b
LDAPv3 must block man-in-the-middle attacks.
Medium - V-25563 - SV-38578r1_rule
RMF Control
Severity
M
CCI
Version
OSX00124 M6
Vuln IDs
  • V-25563
Rule IDs
  • SV-38578r1_rule
To prevent LDAPv3 man-in-the middle attacks the system must be properly configured.System AdministratorECCT-1, ECCT-2
Checks: C-37769r1_chk

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and verify the "Block man-in-the-middle attacks (requires Kerberos)" is checked. If the value is not checked, this is a finding.

Fix: F-33015r1_fix

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Security tab and select "Block man-in-the-middle attacks (requires Kerberos)".

c
Automatic actions must be disabled for blank DVDs.
High - V-25606 - SV-37333r1_rule
RMF Control
Severity
H
CCI
Version
OSX00341 M6
Vuln IDs
  • V-25606
Rule IDs
  • SV-37333r1_rule
To secure CDs and DVDs (blank), do not allow the computer to perform automatic actions when the user inserts a disc. When disabling automatic actions in System Preferences, these actions must be disabled for every user account on the computer.System AdministratorECCD-1
Checks: C-36024r1_chk

Open a terminal session and enter the following command. defaults read /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict If the action value is not set to "1", this is a finding.

Fix: F-31271r1_fix

Open a terminal session and enter the following command. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1

b
Bonjour must be disabled.
Medium - V-25882 - SV-38581r1_rule
RMF Control
Severity
M
CCI
Version
OSX00467 M6
Vuln IDs
  • V-25882
Rule IDs
  • SV-38581r1_rule
Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.System AdministratorECSC-1
Checks: C-37771r1_chk

Open a terminal session and enter the following command. sudo ipfw print. If no line contains "deny udp from any to me dst-port 5353" or a more restrictive rule, this is a finding.

Fix: F-33017r1_fix

Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.freebsd.ipfw</string> <key>Program</key> <string>/sbin/ipfw</string> <key>ProgramArguments</key> <array> <string>/sbin/ipfw</string> <string>/etc/ipfw.conf</string> </array> <key>RunAtLoad</key> <true /> </dict> </plist> Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number): Add 10 deny udp from any to me dst-port 5353

b
Complex passwords must contain Alphabetic Character.
Medium - V-29437 - SV-38603r1_rule
RMF Control
Severity
M
CCI
Version
OSX00036 M6
Vuln IDs
  • V-29437
Rule IDs
  • SV-38603r1_rule
Configure the local system to verify newly created passwords conform to DoD password complexity policy. Passwords must contain 1 character from the following 4 classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Sites are responsible for installing password complexity software complying with the current DoD requirements.System AdministratorIAIA-1
Checks: C-37774r1_chk

Open a terminal session and run the following command. pwpolicy -n -getglobalpolicy | tr " " "\n" | grep requiresAlpha If the value of requiresAlpha is not set to 1, this is a finding. NOTE: If the command returns a response of: password server is not configured, the system is not managed. Add the path /Local/Default to the above command, an example would be: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresAlpha

Fix: F-33021r1_fix

Open a terminal session and run the following command. sudo pwpolicy -n -setglobalpolicy "requiresAlpha=1" For non managed systems the path /Local/Default would need to be added to the command, an example would be: sudo pwpolicy -n /Local/Default -setglobalpolicy "requiresAlpha=1"

b
Complex passwords must contain a Symbolic Character.
Medium - V-29439 - SV-38607r1_rule
RMF Control
Severity
M
CCI
Version
OSX00038 M6
Vuln IDs
  • V-29439
Rule IDs
  • SV-38607r1_rule
Configure the local system to verify newly created passwords conform to the DoD password complexity policy. Passwords must contain 1 character from the following 4 classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Sites are responsible for installing password complexity software that complies with current DoD requirements.System AdministratorIAIA-1
Checks: C-37776r1_chk

Open a terminal session and run the following command. pwpolicy -n -getglobalpolicy | tr " " "\n" | grep requiresSymbol If the value of requireSymbol is not set to 1, this is a finding. NOTE: If the command returns a response of password server is not configured, the system is not managed. Add the path /Local/Default to the above commands, an example would be: pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresSymbol

Fix: F-33023r1_fix

Open a terminal session and run the following command. sudo pwpolicy -n -setglobalpolicy "requiresSymbol=1" For non managed systems the path /Local/Default would need to be added to the command, an example would be: sudo pwpolicy -n /Local/Default -setglobalpolicy "requiresSymbol=1"