Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257222 | APPL-13-002068 | SV-257222r905299_rule | Medium |
Description |
---|
Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00230 |
STIG | Date |
---|---|
Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2024-02-06 |
Check Text ( C-60907r905297_chk ) |
---|
Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: /bin/ls -le /Users This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which must be: 0: group:everyone deny delete For every authorized user account, also run the following command: /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: drwx------+ 0: group:everyone deny delete The exception is the "Public" directory, whose permissions must match the following: drwxr-xr-x+ 0: group:everyone deny delete If the permissions returned by either of these checks differ from what is shown, this is a finding. |
Fix Text (F-60848r905298_fix) |
---|
Configure the macOS system to set the appropriate permissions for each user on the system with the following command: /usr/sbin/diskutil resetUserPermissions / DeviceNode UID, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired. |