Free DISA STIG and SRG Library | Vaulted

Apple OS X 10.8 (Mountain Lion) Workstation STIG

Version 1 Release 2
2015-04-24
U_Apple_OS_X_10-8_Workstation_V1R2_Manual-xccdf.xml
The Apple OS X 10.8 (Mountain Lion) Workstation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (205)

The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.

Finding ID
OSX8-00-00110
Rule ID
SV-65405r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000002
CCI
CCI-000016
Target Key
(None)
Documentable
No
Discussion

When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.

Fix Text

To set an expiration date for a temporary account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

Check Content

If a temporary user has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

The login window must be configured to prompt for username and password, rather than show a list of users.

Finding ID
OSX8-00-00930
Rule ID
SV-65441r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The login window must be configured to prompt for username and password, rather than show a list of users.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if the login window is configured to prompt for user name and password, run the following command: system_profiler SPConfigurationProfileDataType | grep SHOWFULLNAME | awk '{ print $3 }' | sed 's/;//' If this setting is not defined, or not set to "1", this is a finding.

The ability for administrative accounts to unlock Screen Saver must be disabled.

Finding ID
OSX8-00-00935
Rule ID
SV-65443r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The ability for administrative accounts to unlock Screen Saver must be disabled.

Fix Text

To disable the ability for an administrator to unlock a screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "set :rights:system.login.screensaver:rule authenticate-session-owner" /etc/authorization

Check Content

To check the setting for authentication to unlock the screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "print :rights:system.login.screensaver:rule" /etc/authorization If the result is not "authenticate-session-owner" this is a finding.

All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed.

Finding ID
OSX8-00-00980
Rule ID
SV-65445r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed.

Fix Text

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

Check Content

To check the permissions and ownership of the system files, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

User home directories must not have extended ACLs.

Finding ID
OSX8-00-00985
Rule ID
SV-65447r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

User home directories must not have extended ACLs.

Fix Text

To remove ACLs from a folder, run the following command: sudo chmod -R -N /Users/[username] Where [username] is the folder that contains ACLs.

Check Content

To check if the Users home directory has any extended ACLs, run the following command: ls -al /Users Any of the folders that contain a "+" character in the permissions is a finding.

Device files and directories must only be writable by users with a system account or as configured by the vendor.

Finding ID
OSX8-00-00990
Rule ID
SV-65449r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Device files and directories must only be writable by users with a system account or as configured by the vendor.

Fix Text

To remove the writable option for other users, run the following command: sudo chmod o-w [path to device file]

Check Content

To view the list of device files that are on the system, run the following command: sudo find / -perm -2 -a \( -type b -o -type c \) Check the permissions on the directories above subdirectories of the returned items. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding.

The sudoers file must be configured to authenticate users on a per-tty basis.

Finding ID
OSX8-00-00995
Rule ID
SV-65451r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits authorization to the terminal in which authentication occurred.

Fix Text

Edit the /etc/sudoers file to contain the line "Defaults tty_tickets"

Check Content

To check if the tty_tickets option is set for sudo, run the following command: sudo grep tty_tickets /etc/sudoers If there is no result, this is a finding.

The sudoers file must be configured to require authentication on every use.

Finding ID
OSX8-00-01000
Rule ID
SV-65453r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits the use of the sudo command to a single command per authentication.

Fix Text

Edit the /etc/sudoers file to contain the line "Defaults timestamp_timeout=0"

Check Content

To check the timestamp_timeout value, run the following command : sudo grep timestamp_timeout /etc/sudoers If this setting is not defined, or defined for a value other than "0", this is a finding.

All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.

Finding ID
OSX8-00-01005
Rule ID
SV-65455r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is not a member.

Fix Text

To change the group-ownership of the home directory and files, run the following command: sudo chgrp -R [group] /Users/username

Check Content

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not group-owned by a group that a user is not a member of, this is a finding.

All files and directories contained in interactive user home directories must be owned by the home directorys owner.

Finding ID
OSX8-00-01010
Rule ID
SV-65457r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

All files and directories contained in interactive user home directories must be owned by the home directory's owner.

Fix Text

To change the ownership of the files and directories to the owner of the home directory, run the following command: sudo chown -R username /Users/username

Check Content

To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not owned by the user, this is a finding.

The default global umask setting must be changed for user applications.

Finding ID
OSX8-00-01015
Rule ID
SV-65459r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The default global umask setting must be changed for user applications.

Fix Text

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 027' > /etc/launchd-user.conf"

Check Content

To view the umask setting, run the following command: awk '{ print $2 }' /etc/launchd-user.conf If the command produces an error, or the result is not "027", this is a finding.

The default global umask setting must be changed for system processes.

Finding ID
OSX8-00-01020
Rule ID
SV-65461r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The default global umask setting must be configured correctly for system processes.

Fix Text

To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 022' > /etc/launchd.conf"

Check Content

To view the umask setting, run the following command: umask If the setting is not "022", this is a finding.

Local logging must be enabled.

Finding ID
OSX8-00-01025
Rule ID
SV-65463r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Local logging must be enabled.

Fix Text

To ensure that the newsyslog daemon is not disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/com.apple.newsyslog Disabled -bool FALSE

Check Content

To check if the newsyslog daemon is disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.newsyslog Disabled If the result shows a "1", this is a finding.

Newsyslog must be correctly configured to rotate log files.

Finding ID
OSX8-00-01030
Rule ID
SV-65465r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Newsyslog needs to be correctly configured to rotate log files.

Fix Text

Edit the /etc/newsyslog.conf file to configure the correct values.

Check Content

To view the settings for the log file rotation, run the following command: sudo grep -v "^#" /etc/newsyslog.conf The third column is the number of files to keep in rotation. If this is not set to the correct value for the organization, this is a finding.

Administrator accounts must be created with difficult-to-guess names.

Finding ID
OSX8-00-01035
Rule ID
SV-65467r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Administrator accounts must be created with difficult-to-guess names.

Fix Text

Rename any accounts on the system that contain easy to guess names.

Check Content

To list all of the administrator accounts on the system, run the following command: sudo dscl . -read /Groups/admin GroupMembership If any of the resulting accounts contain easy-to-guess names, this is a finding. An example of an easy to guess name would contain "admin" or "administrator".

The system must not use .forward files.

Finding ID
OSX8-00-01040
Rule ID
SV-65469r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not use .forward files.

Fix Text

To remove any ".forward" files from the system, run the following command: find / -name .forward -exec rm {} \;

Check Content

To check if the system contains any ".forward" files, run the following command: find / -name .forward -print If anything is returned, this is a finding.

Active Directory Access must be securely configured to sign all packets.

Finding ID
OSX8-00-01045
Rule ID
SV-65471r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Active Directory Access must be securely configured to sign all packets.

Fix Text

To set the Active Directory configuration to require signing of packets, run the following command: sudo dsconfigad -packetsign require

Check Content

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet Signing option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

Active Directory Access must be securely configured to encrypt all packets.

Finding ID
OSX8-00-01050
Rule ID
SV-65473r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Active Directory Access must be securely configured to encrypt all packets.

Fix Text

To set the Active Directory configuration to require encryption of packets, run the following command: sudo dsconfigad -packetencrypt require

Check Content

To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet encryption option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.

iTunes Store must be disabled.

Finding ID
OSX8-00-01055
Rule ID
SV-65475r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

iTunes Store must be disabled.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check if the iTunes store is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableMusicStore | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

An Emergency Administrator Account must be created.

Finding ID
OSX8-00-01060
Rule ID
SV-65477r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location. This emergency account should have a UID less than "500", and be hidden from view.

Fix Text

To hide user accounts below "500", run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

Check Content

To check to see if UIDs below "500" are hidden, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow Hide500Users If the result is not "1", this is a finding.

The root account must be the only account having a UID of 0.

Finding ID
OSX8-00-01065
Rule ID
SV-65479r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The root account must be the only account having a UID of "0".

Fix Text

Investigate as to why any additional accounts were set up with a UID of "0".

Check Content

To list all of the accounts with a UID of "0", run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not "1", this is a finding.

Finder must be set to always empty Trash securely.

Finding ID
OSX8-00-01075
Rule ID
SV-65481r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.

Fix Text

This should be enforced by a configuration profile.

Check Content

To check that the finder will only present the option to securely empty trash run the following command as the primary user: system_profiler SPConfigurationProfileDataType | grep EmptyTrashSecurely | awk '{ print $3 }' | sed 's/;//' If the result does not return a setting, or the setting is not "1", this is a finding.

The application firewall must be enabled.

Finding ID
OSX8-00-01080
Rule ID
SV-65483r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The application firewall must be enabled.

Fix Text

To enable the firewall run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

Check Content

To check if the OS X firewall has been enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is not enabled, this is a finding.

The system must not be allowed to restart after a power failure.

Finding ID
OSX8-00-01090
Rule ID
SV-65485r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not be allowed to restart after a power failure.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if the system is configured to restart automatically after a power loss, run the following command: system_profiler SPConfigurationProfileDataType | grep "Automatic Restart On Power Loss" | awk '{ print $7 }' | sed 's/;//' If the result is not "0", this is a finding.

Fast User Switching must be disabled.

Finding ID
OSX8-00-01100
Rule ID
SV-65487r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Fast User Switching must be disabled.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if Fast User Switching is enabled, run the following command: system_profiler SPConfigurationProfileDataType | grep MultipleSessionEnabled | awk '{ print $3 }' | sed 's/;//' If the setting is not "0", this is a finding.

Kernel core dumps must be disabled unless needed.

Finding ID
OSX8-00-01105
Rule ID
SV-65489r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Kernel core dumps must be disabled unless needed.

Fix Text

Edit the /etc/sysctl.conf file to include the following line: kern.coredump=0

Check Content

To check if kernel core dumps are enabled, run the following command: sudo sysctl kern.coredump | awk '{ print $NF }' If the value is not "0", this is a finding.

All public directories must be owned by root or an application account.

Finding ID
OSX8-00-01110
Rule ID
SV-65491r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

All public directories must be owned by root or an application account.

Fix Text

To change the ownership of any finding, run the following command: sudo find / -type d -perm -1002 -not -uid 0 -exec chown root {} \;

Check Content

To display all directories that are writable by all, run the following command: sudo find / -type d -perm -1002 -not -uid 0 If anything is returned, this is a finding.

The system must not have the finger service active.

Finding ID
OSX8-00-01115
Rule ID
SV-65493r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not have the finger service active.

Fix Text

To ensure that the finger service is disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.fingerd" -dict Disabled -bool true

Check Content

To check if the finger service has been disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.fingerd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The sticky bit must be set on all public directories.

Finding ID
OSX8-00-01120
Rule ID
SV-65495r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The sticky bit must be set on all public directories.

Fix Text

Run the following command to set the sticky bit on all world-writable directories: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;

Check Content

Run the following command to view all world-writable directories that do not have the sticky bit set: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.

The prompt for Apple ID and iCloud must be disabled.

Finding ID
OSX8-00-01125
Rule ID
SV-65497r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The prompt for Apple ID and iCloud must be disabled.

Fix Text

To ensure that the prompt for Apple ID and iCloud is disabled, run the following commands: sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE; sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.8"

Check Content

To check if the prompt for Apple ID and iCloud are disabled for new users, run the following command: sudo defaults read /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant If there is no result, or the results do not include "DidSeeCloudSetup = 1 AND LastSeenCloudProductVersion = 10.8", this is a finding.

Users must not have Apple IDs signed into iCloud.

Finding ID
OSX8-00-01130
Rule ID
SV-65499r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Users should not have Apple ID's signed into iCloud.

Fix Text

This must be manually resolved. With the affected user logged in, open System Preferences->iCloud. Choose "Sign Out".

Check Content

To see if any user account has configured an Apple ID for iCloud usage, run the following command: sudo find /Users/ -name "MobileMeAccounts.plist" -exec defaults read '{}' \; If the results show any accounts listed, this is a finding.

Spotlight Panel must be securely configured.

Finding ID
OSX8-00-01135
Rule ID
SV-65501r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Spotlight Panel must be securely configured.

Fix Text

To add exclusions to the spotlight search, open up System Preferences->Spotlight, and add the folders to the Privacy tab to prevent Spotlight from searching those locations.

Check Content

To view the folders that are excluded by Spotlight, run the following command: sudo defaults read /.Spotlight-V100/VolumeConfiguration.plist Exclusions If there are no results, or the results don't meet the organizations requirements, this is a finding.

iTunes Music Sharing must be disabled.

Finding ID
OSX8-00-01140
Rule ID
SV-65503r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

iTunes Music Sharing must be disabled.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check if the iTunes music sharing is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableSharedMusic | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

All setuid executables on the system must be vendor-supplied.

Finding ID
OSX8-00-01145
Rule ID
SV-65505r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs allowing reading and writing of files, or shell escapes. Only default vendor-supplied executables should have the setuid bit set.

Fix Text

Document all of the files with the setuid bit set.

Check Content

To list all of the files with the setuid bit set, run the following command: sudo find / -perm 4000 -exec ls -ldb {} \; If any of the files listed are not documented as needing to have the setuid bit set by the vendor, this is a finding

iTunes Radio must be disabled.

Finding ID
OSX8-00-01150
Rule ID
SV-65507r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

iTunes Radio must be disabled.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check if the iTunes radio is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableRadio | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

iTunes Podcasts must be disabled.

Finding ID
OSX8-00-01155
Rule ID
SV-65509r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

iTunes Podcasts must be disabled.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check if the iTunes podcasts are disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disablePodcasts | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.

Unnecessary packages must not be installed.

Finding ID
OSX8-00-01165
Rule ID
SV-65511r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Unnecessary packages must not be installed.

Fix Text

If there are any unnecessary packages installed on the system, verify any dependencies and remove those not required.

Check Content

To view a list of packages and applications installed on the system, run the following command: sudo pkgutil / --pkgs If any of the packages listed are not required for proper operation of the system, this is a finding.

The centralized process core dump data directory must be owned by root.

Finding ID
OSX8-00-01175
Rule ID
SV-65513r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The centralized process core dump data directory must be owned by root.

Fix Text

To change the ownership to "root", run the following command: sudo chown root /Library/Logs/DiagnosticReports/

Check Content

To check the ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the owner is not "root", this is a finding.

The centralized process core dump data directory must have mode 0750 or less permissive.

Finding ID
OSX8-00-01180
Rule ID
SV-65515r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The centralized process core dump data directory must have mode "0750' or less permissive.

Fix Text

To change the permissions of the directory, run the following command: sudo chmod 0750 /Library/Logs/DiagnosticReports/

Check Content

To check the permissions of the process core dump directory, run the following command: sudo stat -f %A /Library/Logs/DiagnosticReports/ If the permissions are not "0750", this is a finding.

The centralized process core dump data directory must be group-owned by admin.

Finding ID
OSX8-00-01185
Rule ID
SV-65517r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The centralized process core dump data directory must be group-owned by admin.

Fix Text

To change the group ownership to ""admin run the following command: sudo chgrp admin /Library/Logs/DiagnosticReports/

Check Content

To check the group ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the group is not "admin", this is a finding.

The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.

Finding ID
OSX8-00-01190
Rule ID
SV-65519r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.

Fix Text

To disable ICMP responses to broadcast traffic add the following line to /etc/sysctl.conf: net.inet.icmp.bmcastecho=1

Check Content

To check if the system is configured to respond to ICMP echoes, run the following command: sudo sysctl net.inet.icmp.bmcastecho | awk '{ print $NF }' If the value is not set to "1", this is a finding.

The system must not accept source-routed IPv4 packets.

Finding ID
OSX8-00-01195
Rule ID
SV-65521r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not accept source-routed IPv4 packets.

Fix Text

To configure the system to not accept source-routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.accept_sourceroute=0

Check Content

To check if the system is configured to accept source-routed packets, run the following command: sysctl net.inet.ip.accept_sourceroute | awk '{ print $NF }' If the value is not "0", this is a finding.

The system must ignore IPv4 ICMP redirect messages.

Finding ID
OSX8-00-01200
Rule ID
SV-65523r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must ignore IPv4 ICMP redirect messages.

Fix Text

To configure the system to ignore ICMP redirect messages, add the following line to /etc/sysctl.conf: net.inet.icmp.drop_redirect=1

Check Content

To check if the system is configured to ignore ICMP redirect messages, run the following command: sysctl -a net.inet.icmp.drop_redirect | awk '{ print $NF }' If the value is not "1", this is a finding.

IP forwarding for IPv4 must not be enabled, unless the system is a router.

Finding ID
OSX8-00-01205
Rule ID
SV-65525r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

IP forwarding for IPv4 must not be enabled, unless the system is a router.

Fix Text

To configure the system to disable IPv4 forwarding, add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=0

Check Content

To check if IP forwarding is enabled, run the following command: sysctl net.inet.ip.forwarding | awk '{ print $NF }' If the value is not "0", this is a finding.

The system must not send IPv4 ICMP redirects by default.

Finding ID
OSX8-00-01210
Rule ID
SV-65527r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not send IPv4 ICMP redirects by default.

Fix Text

To disable ICMP redirects, add the following line to /etc/sysctl.conf: net.inet.ip.redirect=0

Check Content

To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet.ip.redirect | awk '{ print $NF }' If the value is not set to "0", this is a finding.

The system must prevent local applications from generating source-routed packets.

Finding ID
OSX8-00-01215
Rule ID
SV-65529r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must prevent local applications from generating source-routed packets.

Fix Text

To disable source routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.sourceroute=1

Check Content

To check if the system is configured to generate source-routed packets, run the following command: sysctl net.inet.ip.sourceroute | awk '{ print $NF }' If the value is not set to "1", this is a finding.

The system must not process Internet Control Message Protocol [ICMP] timestamp requests.

Finding ID
OSX8-00-01220
Rule ID
SV-65531r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The system must not process Internet Control Message Protocol [ICMP] timestamp requests.

Fix Text

To disable ICMP timestamp responses, add the following line to /etc/sysctl.conf: net.inet.icmp.timestamp=1

Check Content

To check if the system is configured to process ICMP timestamp requests, run the following command: sysctl net.inet.icmp.timestamp | awk '{ print $NF }' If the value is not set to "1", this is a finding.

Audio recording support software must be disabled.

Finding ID
OSX8-00-01225
Rule ID
SV-65533r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Audio recording support software must be disabled.

Fix Text

To disable all audio input/output on the device run the following commands: sudo rm -rf /System/Library/Extensions/AppleUSBAudio.kext;sudo rm -rf /System/Library/Extensions/IOAudioFamily.kext;sudo rm -rf /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext To fix a non "0" input volume on a machine that requires audio output functionality, run this command on a repeating interval or Manually change the input volume to "0": osascript -e 'set volume input volume 0'

Check Content

Disabling the microphone completely will also remove all audio output from the computer. If audio is not a mission requirement check for presence of the following files, presence of any of these files is a finding. ls -l /System/Library/Extensions/AppleUSBAudio.kext /System/Library/Extensions/IOAudioFamily.kext /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext If audio output is required for the mission the only way to disable the microphone and maintain kext file signatures is running the following command to ensure the input volume is 0. The volume can be checked by running the following script: osascript -e 'get volume settings' Any value other than "0" for "input volume" is a finding. Microphone hardware can also be physically removed from the device prior to deployment to meet this requirement.

Unused network devices must be disabled.

Finding ID
OSX8-00-01235
Rule ID
SV-65535r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Unused network devices must be disabled.

Fix Text

To disable a network service, run the following command: sudo networksetup -setnetworkserviceenabled <networkservice> off

Check Content

To list the network devices that are enabled on the system, run the following command: sudo networksetup -listallnetworkservices If any service is listed that is not being used, it must be disabled.

Stealth Mode must be enabled on the firewall.

Finding ID
OSX8-00-01245
Rule ID
SV-65537r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Stealth Mode must be enabled on the firewall.

Fix Text

To enable the firewall stealth mode, run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Check Content

To check if the OSX firewall (not pf.conf) is running in stealth mode run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{ print $NF }' If the result is "Disabled", this is a finding.

Secure virtual memory must be used.

Finding ID
OSX8-00-01260
Rule ID
SV-65539r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Secure virtual memory must be used.

Fix Text

To ensure secure virtual memory is secure, run the following command: sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE

Check Content

To check if the system is using secure virtual memory run the following command: sudo sysctl vm.swapusage | awk '{ print $NF }' If the result does not show (encrypted), this is a finding.

The Operating System must be current and at the latest release level.

Finding ID
OSX8-00-01265
Rule ID
SV-65541r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.

Fix Text

To install software updates, run the following command: sudo softwareupdate --install [name of update]

Check Content

To check which software update are available for the system, run the following command: sudo softwareupdate --list --all Review the results and determine if any updates need to be applied. If there are any required updates that have not been applied, this is a finding.

The CRLStyle option must be set correctly.

Finding ID
OSX8-00-00618
Rule ID
SV-65543r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000066
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Fix Text

This is enforced using a configuration profile.

Check Content

To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.

A host-based firewall must be installed.

Finding ID
OSX8-00-00795
Rule ID
SV-65549r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000146
CCI
CCI-001100
Target Key
(None)
Documentable
No
Discussion

Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation on the public internet.

Fix Text

Install an approved HBSS or firewall solution onto the system.

Check Content

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

System Preferences must be securely configured so IPv6 is turned off if not being used.

Finding ID
OSX8-00-01240
Rule ID
SV-65551r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000146
CCI
CCI-001100
Target Key
(None)
Documentable
No
Discussion

System Preferences must be securely configured so IPv6 is turned off if not being used.

Fix Text

Run: networksetup -setv6off Ethernet to turn ipv6 addressing off for the Ethernet interface. Repeat command for each interface that is active, interface names are case sensitive.

Check Content

Run the following command to list all network interfaces and services active on them: networksetup -listallnetworkservices If any enabled network interfaces have IPv6 enabled that do not require the use of IPv6, this is a finding.

DoD proxies must be configured on all active network interfaces.

Finding ID
OSX8-00-00810
Rule ID
SV-65553r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000149
CCI
CCI-001112
Target Key
(None)
Documentable
No
Discussion

A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to; the proxy server is in the middle handling both sides of the session.

Fix Text

Ensure that DoD proxies are configured on all active network interfaces listed from the command: networksetup -listallnetworkservices

Check Content

To show the proxy configuration for the Ethernet interface, run the following command: networksetup -getautoproxyurl Ethernet replace "Ethernet" with the plain English name of the network interface you need to verify. If there is no proxy defined, or enabled is set to "No", this is a finding. This command: networksetup -listallnetworkservices will list the plain English names of all configured network interfaces on the computer.

The SSH daemon ClientAliveInterval option must be set correctly.

Finding ID
OSX8-00-00715
Rule ID
SV-65557r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000163
CCI
CCI-001133
Target Key
(None)
Documentable
No
Discussion

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Fix Text

In order to make sure that the correct ClientAliveInterval is set correctly, run the following command: sudo sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/sshd_config

Check Content

To check which the idle timeout setting for SSH sessions, run the following: grep ClientAliveInterval /etc/sshd_config If these setting is not "600", or commented out, this is a finding.

The SSH daemon ClientAliveCountMax option must be set correctly.

Finding ID
OSX8-00-00720
Rule ID
SV-65561r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000163
CCI
CCI-001133
Target Key
(None)
Documentable
No
Discussion

This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.

Fix Text

In order to make sure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config .

Check Content

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: grep ClientAliveCountMax /etc/sshd_config If the setting is commented out, or not "ClientAliveCountMax 0", this is a finding.

The SSH daemon LoginGraceTime must be set correctly.

Finding ID
OSX8-00-00945
Rule ID
SV-65563r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000163
CCI
CCI-001133
Target Key
(None)
Documentable
No
Discussion

LoginGraceTime must be securely configured in /etc/sshd_config.

Fix Text

In order to make sure that LoginGraceTime is configured correctly, run the following command: sudo sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/sshd_config

Check Content

To check the amount of time that a user can login through SSH, run the following command: grep LoginGraceTime /etc/sshd_config If the value is not set to "30" or less, this is a finding.

The FIPS administrative and cryptographic modules must be installed correctly.

Finding ID
OSX8-00-00725
Rule ID
SV-65565r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000169
CCI
CCI-001144
Target Key
(None)
Documentable
No
Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Fix Text

Download and install the Apple FIPS Cryptographic Module v3.0 from http://support.apple.com/kb/DL1555

Check Content

Run the following command to ensure the correct FIPS administrative and cryptographic modules are installed correctly: sudo codesign -dvvv /usr/libexec/cc_fips_test 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "bdef561bd742ae2e28589ca3ed44f188530d6910". If it differs, this is a finding.

Video recording support software must be disabled.

Finding ID
OSX8-00-01251
Rule ID
SV-65569r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000175
CCI
CCI-001150
Target Key
(None)
Documentable
No
Discussion

Video recording support software must be disabled.

Fix Text

To remove video recording support, run the following commands: sudo rm -rf /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo rm -rf /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo rm -rf /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC These commands cannot be undone.

Check Content

To check if the video recording plugins are installed, run the following commands: sudo ls -l /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo ls -l /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo ls -l /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC If any of the files exist, this is a finding.

The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.

Finding ID
OSX8-00-00750
Rule ID
SV-65575r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000179
CCI
CCI-001159
Target Key
(None)
Documentable
No
Discussion

For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.

Fix Text

Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from /Applications/Utilities to add certificates to the System keychain.

Check Content

To view a list of installed certificates, run the following command: sudo security -dump-keychain | grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.

The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.

Finding ID
OSX8-00-00755
Rule ID
SV-65577r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000180
CCI
CCI-001166
Target Key
(None)
Documentable
No
Discussion

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Xprotect Update needs to be running.

Fix Text

The Xprotect mechanism is installed and running by default. Make sure the launch daemon is correctly configured in /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist. If this file doesn't exist, you may need to obtain it from the original install media.

Check Content

To make sure the Xprotect Update service is running, run the following command: sudo launchctl list | grep com.apple.xprotectupdater If there is no result, this is a finding.

The operating system must protect the confidentiality and integrity of information at rest.

Finding ID
OSX8-00-00780
Rule ID
SV-65581r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000185
CCI
CCI-001199
Target Key
(None)
Documentable
No
Discussion

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive). The operating system must ensure the data being written to these devices is protected. In most cases, this is done via encryption.

Fix Text

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Check Content

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.

Finding ID
OSX8-00-00835
Rule ID
SV-65583r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000191
CCI
CCI-001233
Target Key
(None)
Documentable
No
Discussion

Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This role is usually assigned to patch management software deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions and the related flaws that require patching. From an operating system requirement perspective, the operating system must perform this or there must be an application installed performing this function.

Fix Text

This should be configured with a configuration profile.

Check Content

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.

Finding ID
OSX8-00-00840
Rule ID
SV-65587r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000192
CCI
CCI-001237
Target Key
(None)
Documentable
No
Discussion

The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed.

Fix Text

This should be configured with a configuration profile.

Check Content

The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.

System log files must be owned by root:wheel.

Finding ID
OSX8-00-00815
Rule ID
SV-65591r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000206
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.

Fix Text

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [log file] where [log file] is the full path to the log file in question.

Check Content

This command checks for log files that exist on the system and prints out the log with corresponding ownership.. stat -f "%Su:%Sg:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null If there are any log files that are not owned by root and group-owned by wheel or admin, this is a finding.

System log files must have the correct permissions.

Finding ID
OSX8-00-00820
Rule ID
SV-65595r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000206
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

System log files should have the correct permissions.

Fix Text

For any log file that returns an incorrect permission value, run the following command: chmod 640 [log file] where [log file] is the full path to the log file in question.

Check Content

This command checks for log files that exist on the system and prints out the log with corresponding permissions. stat -f "%A:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null The correct permissions should be "640" or less permissive. Any file with more permissive settings is a finding.

System log files must not contain ACLs.

Finding ID
OSX8-00-00825
Rule ID
SV-65597r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000206
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

System log files should not contain ACLs.

Fix Text

For any log file that returns an ACL, run the following command: chmod -N [log file] where [log file] is the full path to the log file in question.

Check Content

This command checks for log files that exist on the system and prints out the list of ACLs if there are any. ls -le `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity" If any file contains this information, this is a finding.

The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.

Finding ID
OSX8-00-00875
Rule ID
SV-65599r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000214
CCI
CCI-001274
Target Key
(None)
Documentable
No
Discussion

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Automated alarming mechanisms provide the appropriate personnel with the capability to immediately respond and react to events categorized as unusual or having security implications that could be detrimental to system and/or organizational security.

Fix Text

If they system does not have the HBSS package installed, contact the HBSS administrator to obtain installer package for the software.

Check Content

Ask the SA or IAO if a host-based security system is loaded on the system. The recommended system is the McAfee HBSS. If there is no HBSS installed on the system, this is a finding.

The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.

Finding ID
OSX8-00-00395
Rule ID
SV-65603r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000215
CCI
CCI-001348
Target Key
(None)
Documentable
No
Discussion

Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.

Fix Text

Edit the /etc/security/audit_control file to define the directory for audit logs.

Check Content

To check the location of the audit log files, run the following command: sudo ls -ld `sudo grep "^dir" /etc/security/audit_control | sed 's/dir://'` The default location is /var/audit. If this is not defined or defined incorrectly, this is a finding.

The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.

Finding ID
OSX8-00-00195
Rule ID
SV-65605r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000228
CCI
CCI-001388
Target Key
(None)
Documentable
No
Discussion

Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.

Fix Text

Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security

Check Content

The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document should read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

The operating system must employ automated mechanisms to centrally manage configuration settings.

Finding ID
OSX8-00-00445
Rule ID
SV-65607r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000229
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Rather than visiting each system when making configuration changes, organizations must employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.

Fix Text

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Check Content

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.

Finding ID
OSX8-00-00785
Rule ID
SV-65609r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000230
CCI
CCI-001200
Target Key
(None)
Documentable
No
Discussion

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system.

Fix Text

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Check Content

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

The operating system must enforce requirements for remote connections to the information system.

Finding ID
OSX8-00-00055
Rule ID
SV-65611r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000231
CCI
CCI-000066
Target Key
(None)
Documentable
No
Discussion

The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.

Fix Text

Install an approved HBSS or firewall solution onto the system.

Check Content

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.

The operating system must enforce requirements for remote connections to the information system.

Finding ID
OSX8-00-01170
Rule ID
SV-65613r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000231
CCI
CCI-000066
Target Key
(None)
Documentable
No
Discussion

Screen Sharing must be disabled.

Fix Text

To disable screen sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.screensharing" -dict Disabled -bool true

Check Content

To check if screen sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.screensharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The operating system must automatically audit account modification.

Finding ID
OSX8-00-00125
Rule ID
SV-65615r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000239
CCI
CCI-001403
Target Key
(None)
Documentable
No
Discussion

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of user accounts and, as required, notifies appropriate individuals.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

The operating system must automatically audit account disabling actions.

Finding ID
OSX8-00-00130
Rule ID
SV-65617r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000240
CCI
CCI-001404
Target Key
(None)
Documentable
No
Discussion

When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events affecting user accessibility and operating system processing, the operating system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

The operating system must automatically audit account termination.

Finding ID
OSX8-00-00135
Rule ID
SV-65619r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000241
CCI
CCI-001405
Target Key
(None)
Documentable
No
Discussion

Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The operating system must audit and notify, as required, to mitigate the Denial of Service risk.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

The system firewall must be configured with a default-deny policy.

Finding ID
OSX8-00-00155
Rule ID
SV-65621r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000242
CCI
CCI-001414
Target Key
(None)
Documentable
No
Discussion

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path.

Fix Text

Install an approved HBSS or firewall solution onto the system.

Check Content

Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, and configured with a default deny policy, this is a finding.

Internet Sharing must be disabled.

Finding ID
OSX8-00-01270
Rule ID
SV-65623r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000242
CCI
CCI-001414
Target Key
(None)
Documentable
No
Discussion

Internet Sharing must be disabled.

Fix Text

To disable Internet Sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.InternetSharing" -dict Disabled -bool true

Check Content

To check if Internet sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.InternetSharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Web Sharing must be disabled.

Finding ID
OSX8-00-01275
Rule ID
SV-65625r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000242
CCI
CCI-001414
Target Key
(None)
Documentable
No
Discussion

Web Sharing must be disabled.

Fix Text

To disable Web Sharing, run the following command: sudo defaults write /System/Library/LaunchDaemons/org/apache.httpd.plist Disabled -bool TRUE

Check Content

To check if Web Sharing is enabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/org.apache.httpd.plist Disabled If the result is not "1", this is a finding.

The rsh service must be disabled.

Finding ID
OSX8-00-00050
Rule ID
SV-65627r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000248
CCI
CCI-001436
Target Key
(None)
Documentable
No
Discussion

Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities. Based on that assessment some may be deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

Fix Text

To set the "rshd" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/shell Disabled 1

Check Content

The "rshd" service should be disabled. To check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/shell Disabled If the result is not "1", this is a finding.

The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.

Finding ID
OSX8-00-01325
Rule ID
SV-65629r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000249
CCI
CCI-001452
Target Key
(None)
Documentable
No
Discussion

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Fix Text

To set the password policy, run the following command: sudo pwpolicy setglobalpolicy "minutesUntilFailedLoginReset=15"

Check Content

To check if the password policy is configured to disabled an account within 15 minutes of failed attempts, run the following command: sudo pwpolicy -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the result is not "minutesUntilFailedLoginReset=15", this is a finding. This is NA for machines bound to a directory server.

The operating system must use cryptography to protect the integrity of remote access sessions.

Finding ID
OSX8-00-00040
Rule ID
SV-65631r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000250
CCI
CCI-001453
Target Key
(None)
Documentable
No
Discussion

Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. If cryptography is not used to protect these sessions, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.

Fix Text

To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Check Content

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.

Finding ID
OSX8-00-00045
Rule ID
SV-65635r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000251
CCI
CCI-001454
Target Key
(None)
Documentable
No
Discussion

Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. Remote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any operating system providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,nt/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep nt The network are logged by way of the "nt" flag. If "nt" is not listed in the result of the check, this is a finding.

The operating system must protect audit tools from unauthorized access.

Finding ID
OSX8-00-00380
Rule ID
SV-65637r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000256
CCI
CCI-001493
Target Key
(None)
Documentable
No
Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is imperative that access to audit tools be controlled and protected from unauthorized access.

Fix Text

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Check Content

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

The operating system must protect audit tools from unauthorized modification.

Finding ID
OSX8-00-00385
Rule ID
SV-65639r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000257
CCI
CCI-001494
Target Key
(None)
Documentable
No
Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative that audit tools be controlled and protected from unauthorized modification.

Fix Text

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Check Content

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

The operating system must protect audit tools from unauthorized deletion.

Finding ID
OSX8-00-00390
Rule ID
SV-65641r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000258
CCI
CCI-001495
Target Key
(None)
Documentable
No
Discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are deleted, it would affect the administrator's ability to access and review log data.

Fix Text

To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]

Check Content

The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.

The operating system must limit privileges to change software resident within software libraries (including privileged programs).

Finding ID
OSX8-00-00435
Rule ID
SV-65643r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000259
CCI
CCI-001499
Target Key
(None)
Documentable
No
Discussion

When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix Text

To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /

Check Content

To check the permissions and ownership of the system files and make sure they haven't changed from the original installation, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.

The operating system must take corrective actions, when unauthorized mobile code is identified.

Finding ID
OSX8-00-00760
Rule ID
SV-65645r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000268
CCI
CCI-001662
Target Key
(None)
Documentable
No
Discussion

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

The operating system must support the requirement to automatically audit on account creation.

Finding ID
OSX8-00-00120
Rule ID
SV-65647r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000004
CCI
CCI-000018
Target Key
(None)
Documentable
No
Discussion

Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and if required notifies administrators. Such a process greatly reduces the risk of accounts being created outside the normal approval process and provides logging that can be used for forensic purposes. Additionally, the audit records of account creation can be compared to the known approved account creation list.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.

The Bluetooth protocol driver must be removed.

Finding ID
OSX8-00-00065
Rule ID
SV-65649r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can be accessed. The organization will define the requirements for connection of mobile devices. In order to ensure that the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.

Fix Text

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions

Check Content

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Wi-Fi support software must be disabled.

Finding ID
OSX8-00-00070
Rule ID
SV-65651r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Wi-Fi support software must be disabled.

Fix Text

To remove the software component for Wi-Fi support, run the following command: sudo rm -rf /System/Library/Extensions/IO80211Family.kext

Check Content

To check if the Wi-Fi software components are present on the system, run the following command: sudo ls -d /System/Library/Extensions/IO80211Family.kext If there is a result showing the file is present, this is a finding.

The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.

Finding ID
OSX8-00-00170
Rule ID
SV-65653r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000020
CCI
CCI-000040
Target Key
(None)
Documentable
No
Discussion

The auditing system must be configured to audit authentication and authorization events.

Fix Text

To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control

Check Content

In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep aa The authentication events are logged via the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.

Bluetooth devices must not be allowed to wake the computer.

Finding ID
OSX8-00-00955
Rule ID
SV-65655r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer.

Fix Text

This control needs to be manually changed on the computer by opening System Preferences->Bluetooth, Click Advanced, and make sure the "Allow Bluetooth devices to wake this computer" is not checked.

Check Content

To check if this setting is disabled run the following command as the primary user: defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled If the return value is "1", this is a finding.

Bluetooth Sharing must be disabled.

Finding ID
OSX8-00-00965
Rule ID
SV-65657r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Bluetooth Sharing must be disabled.

Fix Text

To disable Bluetooth Sharing, open System Preferences->Sharing and uncheck the box next to Bluetooth Sharing.

Check Content

To check if Bluetooth Sharing is enabled, Open up System Preferences->Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding.

The operating system must display the DoD-approved system use notification message or banner before granting access to the system.

Finding ID
OSX8-00-00185
Rule ID
SV-65659r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000023
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far as auditing and monitoring are concerned.

Fix Text

Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security/

Check Content

The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document MUST read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not exactly worded this way, this is a finder.

The auditing tool, praudit, must be the one provided by Apple, Inc.

Finding ID
OSX8-00-00400
Rule ID
SV-65661r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000278
CCI
CCI-001496
Target Key
(None)
Documentable
No
Discussion

Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Cryptographic mechanisms must be used to protect the integrity of the audit tools used for audit reduction and reporting. The auditing tool, praudit, should be the one provided by Apple, Inc.

Fix Text

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Check Content

Run the following command to ensure the audit tool, praudit, has the correct signed hash value: sudo codesign -dvvv /usr/sbin/praudit 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "7972f0ead62fd6610d4453f842f9e22b5dc14732". If it differs, this is a finding.

The input menu must not be shown in the login window.

Finding ID
OSX8-00-00940
Rule ID
SV-65663r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000023
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

Input menu must not be shown in login window.

Fix Text

To disable the input menu at the login window, run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool FALSE

Check Content

To check if the input menu is available at the login window, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow showInputMenu If the setting is not "0", this is a finding.

The auditing tool, auditreduce, must be the one provided by Apple, Inc.

Finding ID
OSX8-00-00405
Rule ID
SV-65665r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000278
CCI
CCI-001496
Target Key
(None)
Documentable
No
Discussion

The auditing tool, auditreduce, should be the one provided by Apple, Inc.

Fix Text

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Check Content

Run the following command to ensure the audit tool, auditreduce has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditreduce 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "3b7644bca759043242925af1e6c1c4f4f7dadbae". If it differs, this is a finding.

The auditing tool, audit, must be the one provided by Apple, Inc.

Finding ID
OSX8-00-00410
Rule ID
SV-65667r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000278
CCI
CCI-001496
Target Key
(None)
Documentable
No
Discussion

The auditing tool, audit, should be the one provided by Apple, Inc.

Fix Text

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Check Content

Run the following command to ensure the audit tool, audit has the correct signed hash value: sudo codesign -dvvv /usr/sbin/audit 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "e23e7f63cdef9c1844390a3c8f32122b671b68d3". If it differs, this is a finding.

The operating system, upon successful logon, must display to the user the date and time of the last logon (access).

Finding ID
OSX8-00-00200
Rule ID
SV-65669r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000025
CCI
CCI-000052
Target Key
(None)
Documentable
No
Discussion

Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.

Fix Text

To set the SSH server to print the last login information, run the following command: sudo sed -i.bak 's/.*PrintLastLog.*/PrintLastLog yes/' /etc/sshd_config

Check Content

To see if SSH is configured to display the last login information, run the following command: grep ^PrintLastLog /etc/sshd_config | awk '{ print $2 }' If there is no result returned, or is "no", this is a finding.

The auditing tool, auditd, must be the one provided by Apple, Inc.

Finding ID
OSX8-00-00415
Rule ID
SV-65671r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000278
CCI
CCI-001496
Target Key
(None)
Documentable
No
Discussion

The auditing tool, auditd, should be the one provided by Apple, Inc.

Fix Text

If the check fails, you will need to obtain the correct files from the original 10.8 installation media.

Check Content

Run the following command to ensure the audit tool, auditd has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditd 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "abad487143d9bb99e06d945f69f8fab6e49460f1". If it differs, this is a finding.

Shared User Accounts must be disabled.

Finding ID
OSX8-00-00915
Rule ID
SV-65673r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Shared User Accounts must be disabled.

Fix Text

Remove, disable, or document with the IAO all shared accounts.

Check Content

Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account [which provides no individual identification and accountability] is mitigated.

The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.

Finding ID
OSX8-00-00020
Rule ID
SV-65675r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000028
CCI
CCI-000056
Target Key
(None)
Documentable
No
Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Once invoked, the session lock shall remain in place until the user reauthenticates. No other system activity aside from reauthentication can unlock the system.

Fix Text

To enforce this setting, it must be configured using a configuration profile.

Check Content

To check if the system has the correct setting in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "askForPassword" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

A password must be required to unlock each System Preference Pane.

Finding ID
OSX8-00-00920
Rule ID
SV-65677r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

A password must be required to access locked System Preferences.

Fix Text

To set the system to require a password to unlock every System Preference Pane, open System Preferences->Security & Privacy->Advanced, and make sure the box is checked to "Require an administrator password to access locked preferences".

Check Content

To check if the status of the System Preference Pane authorization requirements, run the following command: sudo security authorizationdb read system.preferences | grep -A1 shared If the results display "true" this is a finding.

Automatic logout due to inactivity must be disabled.

Finding ID
OSX8-00-01085
Rule ID
SV-65679r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000028
CCI
CCI-000056
Target Key
(None)
Documentable
No
Discussion

Automatic logout due to inactivity must be disabled.

Fix Text

This setting should be configured with a configuration profile.

Check Content

To check if the system is configured to automatically log out after a period of time, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.autologout.AutoLogOutDelay" | awk '{ print $3 }' | sed 's/;//' If the result is not defined (nothing returned) or not "0", this is a finding.

Automatic login must be disabled.

Finding ID
OSX8-00-00925
Rule ID
SV-65681r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Automatic login must be disabled.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if the system if configured to automatically log in, run the following command: system_profiler SPConfigurationProfileDataType | grep DisableAutoLoginClient | awk '{ print $3 }' | sed 's/;//' If the result is not "1", this is a finding.

The operating system must initiate a session lock after the organization-defined time period of inactivity.

Finding ID
OSX8-00-00010
Rule ID
SV-65683r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000029
CCI
CCI-000057
Target Key
(None)
Documentable
No
Discussion

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The organization defines the period of inactivity to pass before a session lock is initiated, so this must be configurable.

Fix Text

This setting is enforced using a configuration profile.

Check Content

To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: system_profiler SPConfigurationProfileDataType | grep idleTime | awk '{ print $3 }' | sed 's/;//' The check should return a value of "900" or less, if not, this is a finding.

The ability to use corners to disable the screen saver must be disabled.

Finding ID
OSX8-00-01095
Rule ID
SV-65685r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000029
CCI
CCI-000057
Target Key
(None)
Documentable
No
Discussion

The ability to use corners to disable the screen saver must be disabled.

Fix Text

Open up System Preferences->Desktop&Screen Saver, and open Hot Corners. Make sure none of the corners are defined to "Disable Screen Saver". This can be enforced using a configuration profile or managed preferences.

Check Content

To check if any of the hot corners are configured to disable the screen saver run the following command for the logged in user: system_profiler SPConfigurationProfileDataType | grep wvous There should be 4 results (wvous-bl-corner, wvous-br-corner, wvous-tl-corner, wvous-tr-corner). If any of them are not defined to be "1", this is a finding.

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

Finding ID
OSX8-00-00005
Rule ID
SV-65687r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000031
CCI
CCI-000060
Target Key
(None)
Documentable
No
Discussion

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.

Fix Text

This is enforced using a configuration profile.

Check Content

To view the currently selected screen saver for the logged in user, run the following command: system_profiler SPConfigurationProfileDataType | grep moduleName If there is no result or defined moduleName, this is a finding.

The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.

Finding ID
OSX8-00-00030
Rule ID
SV-65689r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000032
CCI
CCI-000067
Target Key
(None)
Documentable
No
Discussion

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.

Fix Text

To edit the configuration of the audit daemon flags, open the /etc/security/audit_control file and make sure "lo" is listed in the "flags:" parameter. To programmatically do this, run the following command: sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; sudo audit -s

Check Content

To check to make sure the audit daemon is configured to log all login events, both local and remote, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep lo The flag "lo" should be included in the list of flags set. If it is not, this is a finding.

The rexec service must be disabled.

Finding ID
OSX8-00-00035
Rule ID
SV-65691r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000033
CCI
CCI-000068
Target Key
(None)
Documentable
No
Discussion

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections.

Fix Text

To set the "rexec" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/exec Disabled 1

Check Content

The service "rexec" should be disabled, to check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/exec Disabled If the result is not "1", this is a finding.

The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.

Finding ID
OSX8-00-00060
Rule ID
SV-65693r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000034
CCI
CCI-000085
Target Key
(None)
Documentable
No
Discussion

Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.

Fix Text

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo reboot

Check Content

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Automatic actions must be disabled for blank CDs.

Finding ID
OSX8-00-00085
Rule ID
SV-65695r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000035
CCI
CCI-000087
Target Key
(None)
Documentable
No
Discussion

Automatic actions must be disabled for blank CDs.

Fix Text

This setting must be configured using a configuration profile.

Check Content

To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.cd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Automatic actions must be disabled for blank DVDs.

Finding ID
OSX8-00-00090
Rule ID
SV-65697r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000035
CCI
CCI-000087
Target Key
(None)
Documentable
No
Discussion

Automatic actions must be disabled for blank DVDs.

Fix Text

This setting must be configured using a configuration profile.

Check Content

To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.dvd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.

Automatic actions must be disabled for music CDs.

Finding ID
OSX8-00-00095
Rule ID
SV-65699r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000035
CCI
CCI-000087
Target Key
(None)
Documentable
No
Discussion

Automatic actions must be disabled for music CDs.

Fix Text

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a music CD" to "Ignore".

Check Content

To check if the system has the correct setting for music CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a music CD" should be set to "Ignore", if it is not, this is a finding.

Automatic actions must be disabled for video DVDs.

Finding ID
OSX8-00-00105
Rule ID
SV-65701r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000035
CCI
CCI-000087
Target Key
(None)
Documentable
No
Discussion

Automatic actions must be disabled for video DVDs.

Fix Text

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a video DVD" to "Ignore".

Check Content

To check if the system has the correct setting for picture CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a video DVD" should be set to "Ignore", if it is not, this is a finding.

The operating system must allocate audit record storage capacity.

Finding ID
OSX8-00-00295
Rule ID
SV-65703r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000044
CCI
CCI-000137
Target Key
(None)
Documentable
No
Discussion

Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. It is imperative the operating system configured, allocate storage capacity to contain audit records.

Fix Text

Edit the /etc/security/audit_control file, and change the value for "minfree" to the percentage of free space you require to keep available for the system. You can use the following command to set the "minfree" value to "10%": sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control

Check Content

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.

Finding ID
OSX8-00-00300
Rule ID
SV-65705r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000045
CCI
CCI-000138
Target Key
(None)
Documentable
No
Discussion

Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Care must be taken to evaluate that the audit records being produced do not exceed the storage capacity.

Fix Text

To set the auditing daemon to expire logs after "10 GB" of space in the audit_control configuration file, run the following command: sudo sed -i.bak 's/.*expire-after.*/expire-after:10G/' /etc/security/audit_control; sudo audit -s

Check Content

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep expire-after /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Finding ID
OSX8-00-01355
Rule ID
SV-65707r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000047
CCI
CCI-000140
Target Key
(None)
Documentable
No
Discussion

It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. In order for the audit control system to shut down when an audit processing failure occurs, the setting "ahlt" must be configured. The default setting is "cnt" which allows the system to continue running in the event of an audit processing failure.

Fix Text

Edit the /etc/security/audit_control file, and change the value for policy to include the setting "ahlt".

Check Content

The check with display the settings for the audit control system. To view the setting, run the following command: sudo grep policy /etc/security/audit_control | grep ahlt If there is no result, this is a finding.

The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.

Finding ID
OSX8-00-00305
Rule ID
SV-65709r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000048
CCI
CCI-000143
Target Key
(None)
Documentable
No
Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded then events that subsequently occur will not be recorded.

Fix Text

To set the value for "minfree" in the "audit_control" configuration file, run the following command: sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control; sudo audit -s

Check Content

The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.

The operating system must provide a real-time alert when organization-defined audit failure events occur.

Finding ID
OSX8-00-00310
Rule ID
SV-65711r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000049
CCI
CCI-000144
Target Key
(None)
Documentable
No
Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations must define audit failure events requiring an application to send an alarm. When those defined events occur, the application will provide a real-time alert to the appropriate personnel.

Fix Text

Edit the /etc/security/audit_warn file to include the line: logger -p security.warning "audit warning: $@"

Check Content

To verify that the system log is writing audit failure or warnings run the following command: sudo grep logger /etc/security/audit_warn If this does not return: logger -p security.warning "audit warning: $@" this is a finding.

The operating system must employ cryptographic mechanisms to protect information in storage.

Finding ID
OSX8-00-00700
Rule ID
SV-65717r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000131
CCI
CCI-001019
Target Key
(None)
Documentable
No
Discussion

When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.

Fix Text

Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.

Check Content

To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.

The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.

Finding ID
OSX8-00-00690
Rule ID
SV-65719r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000129
CCI
CCI-000888
Target Key
(None)
Documentable
No
Discussion

Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted.

Fix Text

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Check Content

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.

Finding ID
OSX8-00-00695
Rule ID
SV-65721r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000125
CCI
CCI-000877
Target Key
(None)
Documentable
No
Discussion

Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems includes the ability to access system configuration details, diagnostic information, user information, as well as installation of software.

Fix Text

To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Check Content

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.

Finding ID
OSX8-00-00115
Rule ID
SV-65725r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000123
CCI
CCI-001682
Target Key
(None)
Documentable
No
Discussion

When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.

Fix Text

To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

Check Content

If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

Finding ID
OSX8-00-00575
Rule ID
SV-65729r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000113
CCI
CCI-000776
Target Key
(None)
Documentable
No
Discussion

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.

Fix Text

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

Check Content

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2" this is a finding.

The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

Finding ID
OSX8-00-00570
Rule ID
SV-65733r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000112
CCI
CCI-000774
Target Key
(None)
Documentable
No
Discussion

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.

Fix Text

In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config

Check Content

To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2", this is a finding.

The root account must be disabled for interactive use.

Finding ID
OSX8-00-01230
Rule ID
SV-65737r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000109
CCI
CCI-000770
Target Key
(None)
Documentable
No
Discussion

The root account must be disabled for interactive use.

Fix Text

To disable the root user account, run the following command: sudo dsenableroot -d

Check Content

To check if the root user has been enabled, run the following command: sudo dscl . -read /Users/root AuthenticationAuthority If the result does not return "No such key: AuthenticationAuthority", this is a finding.

The SSH PermitRootLogin option must be set correctly.

Finding ID
OSX8-00-00565
Rule ID
SV-65739r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000109
CCI
CCI-000770
Target Key
(None)
Documentable
No
Discussion

To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as, adding an additional level of protection of the actions that can be taken with group account knowledge.

Fix Text

In order to make sure that PermitRootLogin is disabled by the sshd, run the following command: sudo sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/sshd_config

Check Content

To check if SSH has root logins enabled, run the following command: sudo grep ^PermitRootLogin /etc/sshd_config | awk '{ print $2 }' If there is no result, or the result is set to "yes", this is a finding.

End users must not be able to override Gatekeeper settings.

Finding ID
OSX8-00-00711
Rule ID
SV-65741r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000103
CCI
CCI-000663
Target Key
(None)
Documentable
No
Discussion

Gatekeeper settings must be configured correctly.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.

The system must allow only applications downloaded from the App Store to run.

Finding ID
OSX8-00-00710
Rule ID
SV-65745r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000103
CCI
CCI-000663
Target Key
(None)
Documentable
No
Discussion

Gatekeeper settings must be configured correctly.

Fix Text

This can be enforced using a configuration profile.

Check Content

To check to make sure only applications downloaded from the App Store are allowed to run, type the following code: system_profiler SPConfigurationProfileDataType | grep AllowIdentifiedDevelopers | awk '{ print $3 }' | sed 's/;//' If the returned value is not "0", this is a finding.

A configuration profile must exist to restrict launching of applications.

Finding ID
OSX8-00-00705
Rule ID
SV-65747r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000103
CCI
CCI-000663
Target Key
(None)
Documentable
No
Discussion

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.

Fix Text

A configuration profile should exist to restrict launching of applications.

Check Content

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives.

Finding ID
OSX8-00-00560
Rule ID
SV-65749r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000100
CCI
CCI-000537
Target Key
(None)
Documentable
No
Discussion

Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.

Fix Text

To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1

Check Content

To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.

The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives.

Finding ID
OSX8-00-00555
Rule ID
SV-65751r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000099
CCI
CCI-000535
Target Key
(None)
Documentable
No
Discussion

Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.

Fix Text

To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1

Check Content

To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.

Airdrop must be disabled.

Finding ID
OSX8-00-02050
Rule ID
SV-65753r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Airdrop must be disabled.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if Airdrop has been disabled, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableAirDrop | awk '{ Print $3 }' | sed 's/;//' If the result is not "1", this is a finding.

The system must not have the UUCP service active.

Finding ID
OSX8-00-00550
Rule ID
SV-65757r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

The system must not have the UUCP service active.

Fix Text

To disable UUCP, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.uucp" -dict Disabled -bool true

Check Content

To check if UUCP is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.uucp:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Bonjour multicast advertising must be disabled on the system.

Finding ID
OSX8-00-00545
Rule ID
SV-65759r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Bonjour multicast advertising must be disabled on the system.

Fix Text

To configure Bonjour to disable multicast advertising, run the following command: sudo /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Check Content

To check if multicast advertisements have been disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | grep NoMulticastAdvertisements If nothing is returned, this is a finding.

Location Services must be disabled.

Finding ID
OSX8-00-00535
Rule ID
SV-65761r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Location Services must be disabled.

Fix Text

The setting is found in System Preferences->Security & Privacy->Location Services. Uncheck the box that says "Enable Location Services". This setting can be enforced using a configuration profile.

Check Content

The setting is found in System Preferences->Security & Privacy->Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableLocationServices | awk '{ print $3 }' | sed 's/;//' If the result is not "1" this is a finding.

Find My Mac messenger must be disabled.

Finding ID
OSX8-00-00532
Rule ID
SV-65763r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Find My Mac messenger must be disabled.

Fix Text

To disable Find My Mac messenger, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacmessenger" -dict Disabled -bool true

Check Content

To check if Find My Mac messenger is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacmessenger:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Find My Mac must be disabled.

Finding ID
OSX8-00-00531
Rule ID
SV-65765r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Find My Mac must be disabled.

Fix Text

To disable Find My Mac, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacd" -dict Disabled -bool true

Check Content

To check if Find My Mac is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Sending diagnostic and usage data to Apple must be disabled.

Finding ID
OSX8-00-00530
Rule ID
SV-65767r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000096
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

Sending diagnostic and usage data to Apple must be disabled.

Fix Text

The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage Uncheck the box that says "Send diagnostic & usage data to Apple. This setting can be enforced using a configuration profile.

Check Content

The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage. If the box that says "Send diagnostic & usage data to Apple" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep AutoSubmit | awk '{ print $3 }' | sed 's/;//' If the result is not "AutoSubmit = 0;" this is a finding.

Remote Apple Events must be disabled.

Finding ID
OSX8-00-00975
Rule ID
SV-65769r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Remote Apple Events must be disabled.

Fix Text

To disable Remote Apple Events, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AEServer" -dict Disabled -bool true

Check Content

To check if Remote Apple Events is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AEServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The system preference panel iCloud must be removed.

Finding ID
OSX8-00-00520
Rule ID
SV-65771r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The system preference panel iCloud must be removed.

Fix Text

To remove the iCloud preference pane run the following command: sudo rm -Rf /System/Library/PreferencePanes/iCloudPref.prefPane

Check Content

To check for the existence of the iCloud preference panel, run the following command: ls -ald /System/Library/PreferencePanes/iCloudPref.prefPane If anything is returned, this is a finding.

The application Mail must be removed.

Finding ID
OSX8-00-00515
Rule ID
SV-65775r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Mail must be removed.

Fix Text

To remove Mail run the following command: sudo rm -Rf /Applications/Mail.app

Check Content

To check for the existence of Mail, run the following command: ls -ald /Applications/Mail.app If anything is returned, this is a finding.

The application Contacts must be removed.

Finding ID
OSX8-00-00510
Rule ID
SV-65777r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Contacts must be removed.

Fix Text

To remove Contacts run the following command: sudo rm -Rf /Applications/Contacts.app

Check Content

To check for the existence of Contacts, run the following command: ls -ald /Applications/Contacts.app If anything is returned, this is a finding.

The application Calendar must be removed.

Finding ID
OSX8-00-00505
Rule ID
SV-65779r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Calendar must be removed.

Fix Text

To remove Calendar, run the following command: sudo rm -Rf /Applications/Calendar.app

Check Content

To check for the existence of the Calendar application run the following command: ls -ald /Applications/Calendar.app If anything is returned, this is a finding.

The application App Store must be removed.

Finding ID
OSX8-00-00500
Rule ID
SV-65781r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application App Store must be removed.

Fix Text

To remove App Store, run the following command: sudo rm -Rf /Applications/App\ Store.app

Check Content

To check for the existence of App Store, run the following command: ls -ald /Applications/App\ Store.app If anything is returned, this is a finding.

The application image capture must be removed.

Finding ID
OSX8-00-00495
Rule ID
SV-65785r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Image Capture must be removed.

Fix Text

To remove Image Capture, run the following command: sudo rm -Rf /Applications/Image\ Capture.app

Check Content

To check for the existence of Image Capture, run the following command: ls -ald /Applications/Image\ Capture.app If anything is returned, this is a finding.

The application Messages must be removed.

Finding ID
OSX8-00-00490
Rule ID
SV-65789r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Messages must be removed.

Fix Text

To remove Messages, run the following command: sudo rm -Rf /Applications/Messages.app

Check Content

To check for the existence of Messages, run the following command: ls -ald /Applications/Messages.app If anything is returned, this is a finding.

The application iTunes must be removed.

Finding ID
OSX8-00-00485
Rule ID
SV-65791r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application iTunes must be removed.

Fix Text

To remove iTunes, run the following command: sudo rm -Rf /Applications/iTunes.app

Check Content

To check for the existence of iTunes run the following command: ls -ald /Applications/iTunes.app If anything is returned, this is a finding.

The application Game Center must be disabled.

Finding ID
OSX8-00-00481
Rule ID
SV-65793r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Game Center must be disabled.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if a configuration profile is configured to disable Game Center, run the following command: system_profiler SPConfigurationProfileDataType | grep GKFeatureGameCenterAllowed | awk '{ print $3 }' | sed 's/;//' If the result is not "0", this is a finding. This requirement is N/A if requirement OSX8-00-00480 is met.

The application Game Center must be removed.

Finding ID
OSX8-00-00480
Rule ID
SV-65803r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Game Center must be removed.

Fix Text

To remove Game Center, run the following command: sudo rm -Rf /Applications/Game\ Center.app

Check Content

To check for the existence of Game Center, run the following command: ls -ald /Applications/Game\ Center.app If anything is returned, this is a finding.

The application FaceTime must be removed.

Finding ID
OSX8-00-00475
Rule ID
SV-65805r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application FaceTime must be removed.

Fix Text

To remove FaceTime, run the following command: sudo rm -Rf /Applications/FaceTime.app

Check Content

To check for the existence of FaceTime, run the following command: ls -ald /Applications/FaceTime.app If anything is returned, this is a finding.

The application Chess must be removed.

Finding ID
OSX8-00-00470
Rule ID
SV-65807r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Chess must be removed.

Fix Text

To remove Chess, run the following command: sudo rm -Rf /Applications/Chess.app

Check Content

To check for the existence of Chess, run the following command: ls -ald /Applications/Chess.app If anything is returned, this is a finding.

The application PhotoBooth must be removed.

Finding ID
OSX8-00-00465
Rule ID
SV-65811r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

The application Photo Booth must be removed.

Fix Text

To remove Photo Booth, run the following command: sudo rm -Rf /Applications/Photo\ Booth.app

Check Content

To check for the existence of Photo Booth, run the following command: ls -ald /Applications/Photo\ Booth.app If anything is returned, this is a finding.

Application Restrictions must be enabled.

Finding ID
OSX8-00-00460
Rule ID
SV-65813r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions) and will reduce the attack surface of the operating system. End-users should be restricted to running only approved applications.

Fix Text

A configuration profile should exist to restrict launching of applications.

Check Content

To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.

The racoon daemon must be disabled.

Finding ID
OSX8-00-00144
Rule ID
SV-65815r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. The IKE service, racoon, should be disabled.

Fix Text

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.racoon" -dict Disabled -bool true

Check Content

To check if racoon is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.racoon:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The NFS stat daemon must be disabled.

Finding ID
OSX8-00-00143
Rule ID
SV-65819r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.

Fix Text

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.statd.notify" -dict Disabled -bool true

Check Content

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.statd.notify:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The NFS lock daemon must be disabled.

Finding ID
OSX8-00-00142
Rule ID
SV-65829r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.

Fix Text

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.lockd" -dict Disabled -bool true

Check Content

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.lockd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

The system must be configured to set the time automatically from a network time server.

Finding ID
OSX8-00-00325
Rule ID
SV-65831r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-OS-000056
CCI
CCI-000160
Target Key
(None)
Documentable
No
Discussion

The system must be configured to set the time automatically from a network time server.

Fix Text

To enable the system to use a network time server, run the following: sudo systemsetup -setusingnetworktime on

Check Content

To check the setting for using a network time server, run the following command: systemsetup -getusingnetworktime | grep On If this is set to "off" this is a finding.

The network time server must be an authorized DoD time source.

Finding ID
OSX8-00-00330
Rule ID
SV-65833r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000056
CCI
CCI-000160
Target Key
(None)
Documentable
No
Discussion

The system must be configured to set the time automatically from a network time server. The network time server must be an authorized DoD time source.

Fix Text

To define the server to use for time synchronization, run the following command: sudo systemsetup -setnetworktimeserver <IP or FQDN> where <IP or FQDN> is the IP address or fully qualified domain name of the time server to use.

Check Content

To display the server used to synchronize time with, run the following command: systemsetup -getnetworktimeserver If the incorrect organizationally-defined server is listed, this is a finding.

Audit Log files must have the correct permissions.

Finding ID
OSX8-00-00335
Rule ID
SV-65835r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000057
CCI
CCI-000162
Target Key
(None)
Documentable
No
Discussion

If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit Log files should have the correct permissions. To ensure the veracity of audit data the operating system must protect audit information from unauthorized access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include ensuring log files have the proper file system permissions utilizing file system protections and limiting log data location. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.

Fix Text

For any log file that returns an incorrect permission value, run the following command: chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

Audit log files must be owned by root:wheel.

Finding ID
OSX8-00-00340
Rule ID
SV-65837r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000057
CCI
CCI-000162
Target Key
(None)
Documentable
No
Discussion

Audit log files should be owned by root:wheel.

Fix Text

For any log file that returns an incorrect permission value, run the following command: chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 $4 ":" $9 }' The results should read "0:0" in the first column. The first 0 is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

The NFS daemon must be disabled.

Finding ID
OSX8-00-00141
Rule ID
SV-65839r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.

Fix Text

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.nfsd" -dict Disabled -bool true

Check Content

To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.nfsd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Audit log files must not contain ACLs.

Finding ID
OSX8-00-00345
Rule ID
SV-65841r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000057
CCI
CCI-000162
Target Key
(None)
Documentable
No
Discussion

Audit log files should not contain ACLs.

Fix Text

For any log file that returns an ACL, run the following command: sudo chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.

Apple File Sharing must be disabled.

Finding ID
OSX8-00-00140
Rule ID
SV-65843r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000095
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.

Fix Text

To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AppleFileServer" '{ "Disabled" = 1; }'

Check Content

To check if file sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AppleFileServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

Audit Log files must have the correct permissions.

Finding ID
OSX8-00-00350
Rule ID
SV-65845r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000058
CCI
CCI-000163
Target Key
(None)
Documentable
No
Discussion

If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.

Fix Text

For any log file that returns an incorrect permission value, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions to be "440" or less permissive. If not, this is a finding.

The operating system must employ automated mechanisms to centrally verify configuration settings.

Finding ID
OSX8-00-00455
Rule ID
SV-65849r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000093
CCI
CCI-000372
Target Key
(None)
Documentable
No
Discussion

Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when verifying configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.

Fix Text

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Check Content

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

Audit log files must be owned by root:wheel.

Finding ID
OSX8-00-00355
Rule ID
SV-65851r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000058
CCI
CCI-000163
Target Key
(None)
Documentable
No
Discussion

Audit log files should be owned by root:wheel.

Fix Text

For any log file that returns an incorrect permission value, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s ls -l `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should be owned by root:wheel. If not, this is a finding.

The audit log folder must be owned by root:wheel.

Finding ID
OSX8-00-00365
Rule ID
SV-65853r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000059
CCI
CCI-000164
Target Key
(None)
Documentable
No
Discussion

If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.

Fix Text

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

Check Content

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory, with the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

Configuration profiles must be applied to the system.

Finding ID
OSX8-00-00450
Rule ID
SV-65855r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000092
CCI
CCI-000371
Target Key
(None)
Documentable
No
Discussion

Configuration settings are the configurable security-related parameters of the operating system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when making configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.

Fix Text

Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.

Check Content

To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.

The audit log folder must have the correct permissions.

Finding ID
OSX8-00-00370
Rule ID
SV-65857r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000059
CCI
CCI-000164
Target Key
(None)
Documentable
No
Discussion

The audit log folder should have correct permissions.

Fix Text

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 /var/audit

Check Content

To check the permissions of the audit log files, run the following command: stat -f "%A:%N" `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

The audit log folder must not have ACLs.

Finding ID
OSX8-00-00375
Rule ID
SV-65861r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000059
CCI
CCI-000164
Target Key
(None)
Documentable
No
Discussion

The audit log folder should not have ACLs.

Fix Text

If the log folder has an ACL, run the following command: chmod -N [audit log folder] where [audit log folder] is the full path to the log folder in question.

Check Content

To check for ACLs of the audit log folder run the following command: ls -le `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/"}'` | grep -v current The audit log folder listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If the folder contains this information, this is a finding.

The audit log folder must have correct permissions.

Finding ID
OSX8-00-00205
Rule ID
SV-65863r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000061
CCI
CCI-000166
Target Key
(None)
Documentable
No
Discussion

Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.

Fix Text

For every log file that returns incorrect permissions, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

Check Content

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.

The Security assessment policy subsystem must be enabled.

Finding ID
OSX8-00-00430
Rule ID
SV-65865r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000090
CCI
CCI-000352
Target Key
(None)
Documentable
No
Discussion

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical software must be signed with a certificate that is recognized and approved by the organization.

Fix Text

To enable the Security assessment policy subsystem, run the following command: sudo spctl --master-enable

Check Content

To check the status of the Security assessment policy subsystem, run the following command: sudo spctl --status | grep enabled If nothing is returned, this is a finding.

The audit log folder must be owned by root:wheel.

Finding ID
OSX8-00-00210
Rule ID
SV-65867r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000061
CCI
CCI-000166
Target Key
(None)
Documentable
No
Discussion

Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.

Fix Text

For every log file that is not owned by root, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path of the log file that needs to be modified.

Check Content

To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 ":" $4 ":" $9 }' The results should read "0:0" in the first column. The first "0" is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.

The audit log folder must be owned by root:wheel.

Finding ID
OSX8-00-00215
Rule ID
SV-65869r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000061
CCI
CCI-000166
Target Key
(None)
Documentable
No
Discussion

Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.

Fix Text

If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit

Check Content

To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory. With the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.

The password-related hint field must not be used.

Finding ID
OSX8-00-00630
Rule ID
SV-65873r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The password-related hint field must not be used.

Fix Text

This is enforced using a configuration profile.

Check Content

To check if Password hints are turn on, run the following command: system_profiler SPConfigurationProfileDataType | grep RetriesUntilHint | awk '{ print $3 }' | sed 's/;//' If the result is not "0" or not defined, this is a finding.

The audit log folder must have correct permissions.

Finding ID
OSX8-00-00220
Rule ID
SV-65875r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000061
CCI
CCI-000166
Target Key
(None)
Documentable
No
Discussion

Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.

Fix Text

If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`

Check Content

To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.

The audit log files must not contain ACLs.

Finding ID
OSX8-00-00225
Rule ID
SV-65877r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000061
CCI
CCI-000166
Target Key
(None)
Documentable
No
Discussion

The audit log files should not contain ACLs.

Fix Text

For any log file that returns an ACL, run the following command: chmod -N [audit log file] where [audit log file] is the full path to the log file in question.

Check Content

To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any file contains this information, this is a finding.

The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.

Finding ID
OSX8-00-00240
Rule ID
SV-65881r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000062
CCI
CCI-000169
Target Key
(None)
Documentable
No
Discussion

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.

Fix Text

To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.

Check Content

The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.

The flags option must be set in /etc/security/audit_control.

Finding ID
OSX8-00-00245
Rule ID
SV-65883r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000064
CCI
CCI-000172
Target Key
(None)
Documentable
No
Discussion

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).

Fix Text

To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.

Check Content

The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.

The operating system must enforce minimum password length.

Finding ID
OSX8-00-00590
Rule ID
SV-65885r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000078
CCI
CCI-000205
Target Key
(None)
Documentable
No
Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Fix Text

To set the policy to force the length of a password, a configuration profile must be created and applied to the workstation.

Check Content

To check the currently applied policies for password and accounts, use the following command: sudo system_profiler SPConfigurationProfileDataType | grep minLength The parameter minLength should be "15". If it is less than "15", this is a finding.

The OS X firewall must have logging enabled.

Finding ID
OSX8-00-00950
Rule ID
SV-65887r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000064
CCI
CCI-000172
Target Key
(None)
Documentable
No
Discussion

Firewall logging must be enabled. This requirement is NA if HBSS is used.

Fix Text

To enable the firewall logging, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

Check Content

To check if the OS X firewall has logging enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | grep on If the result is not enabled, this is a finding.

The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.

Finding ID
OSX8-00-00230
Rule ID
SV-65889r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000065
CCI
CCI-000174
Target Key
(None)
Documentable
No
Discussion

Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). The events that occur must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. The operating system must be able to have audit events correlated to the level of tolerance determined by the organization.

Fix Text

Configuration of startup processes is done via configuration files for each process or daemon. Make sure the file /System/Library/LaunchDaemons/com.apple.auditd.plist exists. If not, you may need to obtain a copy from the original installation media.

Check Content

To see if the audit daemon is loaded, run the following command: sudo launchctl list | grep -i com.apple.auditd The result returned should be " - 0 com.apple.auditd". If this is not running, this is a finding.

The OCSPStyle option must be set correctly.

Finding ID
OSX8-00-00615
Rule ID
SV-65891r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000066
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Fix Text

This is enforced using a configuration profile.

Check Content

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.

The OCSPSufficientPerCert option must be set correctly.

Finding ID
OSX8-00-00616
Rule ID
SV-65893r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000066
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Fix Text

This is enforced using a configuration profile.

Check Content

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.

The RevocationFirst option must be set correctly.

Finding ID
OSX8-00-00617
Rule ID
SV-65895r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000066
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Fix Text

This is enforced using a configuration profile.

Check Content

To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep RevocationFirst | awk '{ print $3 }' | sed 's/;//' The result should be "OCSP". If nothing is returned or the result is incorrect, this is a finding.

The telnet service must be disabled.

Finding ID
OSX8-00-00605
Rule ID
SV-65897r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-OS-000074
CCI
CCI-000197
Target Key
(None)
Documentable
No
Discussion

Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.

Fix Text

To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true

Check Content

The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.

There must be no .netrc files on the system.

Finding ID
OSX8-00-00600
Rule ID
SV-65899r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000073
CCI
CCI-000196
Target Key
(None)
Documentable
No
Discussion

Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. There must be no ".netrc" files on the system.

Fix Text

To remove any ".netrc" files, run the following command: find / -name .netrc -exec rm {} \;

Check Content

To see if there are any ".netrc" files on the system, run the following command: sudo find / -name .netrc If there is anything found, this is a finding.

The CRLSufficientPerCert option must be set correctly.

Finding ID
OSX8-00-00619
Rule ID
SV-65901r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000066
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Fix Text

This is enforced using a configuration profile.

Check Content

To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.

The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.

Finding ID
OSX8-00-01465
Rule ID
SV-65995r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000232
CCI
CCI-001069
Target Key
(None)
Documentable
No
Discussion

Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.

Fix Text

Install an approved anti-virus solution onto the system.

Check Content

Ask the SA or IAO if an approved anti-virus solution is loaded on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no local anti-virus solution installed on the system, this is a finding.

Automatic actions must be disabled for picture CDs.

Finding ID
OSX8-00-00100
Rule ID
SV-66059r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000035
CCI
CCI-000087
Target Key
(None)
Documentable
No
Discussion

Automatic actions must be disabled for picture CDs.

Fix Text

Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a picture CD" to "Ignore".

Check Content

To check if the system has the correct setting for picture CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a picture CD" should be set to "Ignore", if it is not, this is a finding.

Bluetooth support software must be disabled.

Finding ID
OSX8-00-00080
Rule ID
SV-66061r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Bluetooth support software must be disabled.

Fix Text

Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions

Check Content

To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.

Infrared [IR] support must be removed.

Finding ID
OSX8-00-00075
Rule ID
SV-66145r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000273
CCI
CCI-000086
Target Key
(None)
Documentable
No
Discussion

Infrared [IR] support must be removed.

Fix Text

To remove support for IR, run the following command: sudo rm -rf /System/Library/Extensions/AppleIRController.kext

Check Content

To check if the software support for IR is installed, run the following command: sudo ls -d /System/Library/Extensions/AppleIRController.kext If the result shows the file is present, this is a finding.

The FireWire protocol driver must be removed or disabled.

Finding ID
OSX8-00-00845
Rule ID
SV-68075r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.

Fix Text

To remove the driver for FireWire, run the following command: sudo rm -Rf /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext This should be enforced by a configuration profile.

Check Content

This command checks for the presence of the FireWire protocol kext (driver). This is the primary driver for FireWire communication and, if removed, will disable the ability to communicate with FireWire devices. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

The USB mass storage driver must be removed or disabled.

Finding ID
OSX8-00-00850
Rule ID
SV-68077r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.

Fix Text

To remove the USB mass storage kext, run the following command: sudo rm -Rf /System/Library/Extensions/IOUSBMassStorageClass.kext This should be enforced using a configuration profile.

Check Content

This command checks for the presence of the USB mass storage kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOUSBMassStorageClass.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

The Apple Storage Drivers must be removed or disabled.

Finding ID
OSX8-00-00855
Rule ID
SV-68079r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.

Fix Text

To remove the Apple Storage Drivers, run the following command: sudo rm -Rf /System/Library/Extensions/AppleStorageDrivers.kext This should be enforced by a configuration profile.

Check Content

This command checks for the presence of the Apple Storage Drivers kext file. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/AppleStorageDrivers.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

The iPod Driver must be removed.

Finding ID
OSX8-00-00860
Rule ID
SV-68081r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.

Fix Text

To remove the iPod Driver kext, run the following command: sudo rm -Rf /System/Library/Extensions/iPodDriver.kext

Check Content

This command checks for the presence of the iPod Driver kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/iPodDriver

All users must use PKI authentication for login and privileged access.

Finding ID
OSX8-00-02055
Rule ID
SV-68083r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emergency access to a system for maintenance is acceptable, however.)

Fix Text

Implement PKI authentication using approved third-party PKI tools, to integrate with an existing directory services infrastructure or local password database, where no directory services infrastructure exists.

Check Content

Ask the SA or IAO if an approved PKI authentication solution is implemented on the system for user logins and privileged access. If a non-emergency account can log into the system or gain privileged access without a smart card, this is a finding.

The system must be integrated into a directory services infrastructure.

Finding ID
OSX8-00-02060
Rule ID
SV-68085r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active Directory, allow centralized management of users and passwords.

Fix Text

Integrate the system into an existing directory services infrastructure, such as Active Directory.

Check Content

Ask the SA or IAO if the system is integrated into a directory services infrastructure, such as Active Directory. If the system is not integrated into a directory service infrastructure, this is a finding. Mitigation: If there is no directory services infrastructure available, reduce severity to CAT III.

The usbmuxd daemon must be disabled.

Finding ID
OSX8-00-00862
Rule ID
SV-68087r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-999999
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices.

Fix Text

To disable the usbmuxd daemon, run the following command: sudo launchtctl unload -w /System/Library/LaunchDaemons/com.apple.usbmuxd.plist

Check Content

To check the status of the usbmuxd daemon, run the following command: sudo launchctl list | grep usbmuxd If there is any output, this is a finding.