UCF STIG Viewer Logo

Apple OS X 10.10 (Yosemite) Workstation Security Technical Implementation Guide


Overview

Date Finding Count (140)
2017-04-06 CAT I (High): 10 CAT II (Med): 115 CAT III (Low): 15
STIG Description
The Apple OS X 10.10 Workstation Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-59621 High The Security assessment policy subsystem must be enabled.
V-59529 High The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-59677 High The operating system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-59675 High Operating systems used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
V-59673 High Operating systems used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
V-59671 High The operating system must transmit only cryptographically-protected passwords.
V-59785 High The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-59715 High The sudoers file must be configured to authenticate users on a per-tty basis.
V-59531 High The operating system must implement cryptography to protect the integrity of remote access sessions.
V-59533 High The rshd service must be disabled.
V-59623 Medium The operating system must limit privileges to change software resident within software libraries.
V-59625 Medium A configuration profile must be installed.
V-59627 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-59551 Medium Automatic actions must be disabled for picture CDs.
V-59749 Medium The system must not send IPv4 ICMP redirects by default.
V-59747 Medium IP forwarding for IPv6 must not be enabled.
V-59745 Medium IP forwarding for IPv4 must not be enabled.
V-59743 Medium The system must ignore IPv4 ICMP redirect messages.
V-59741 Medium The system must not accept source-routed IPv4 packets.
V-59557 Medium The operating system must be configured such that emergency administrator accounts are never automatically disabled.
V-59699 Medium The operating system must restrict the ability of individuals to use USB storage devices.
V-59555 Medium The operating system must automatically remove or disable temporary user accounts after 72 hours.
V-59619 Medium Log folders must not contain ACLs.
V-59615 Medium Audit log folders must have mode 700 or less permissive.
V-59617 Medium Log files must not contain ACLs.
V-59611 Medium Audit log folders must be group-owned by wheel.
V-59613 Medium Audit log files must be mode 440 or less permissive.
V-59695 Medium The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on organization-defined information system components.
V-59697 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-59691 Medium The operating system must protect the confidentiality and integrity of all information at rest.
V-59693 Medium The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on organization-defined information system components.
V-59563 Medium The operating system must automatically audit account disabling actions.
V-59755 Medium The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-59561 Medium The operating system must automatically audit account modification.
V-59757 Medium Unused network devices must be disabled.
V-59567 Medium SMB File Sharing must be disabled unless required.
V-59751 Medium The system must not send IPv6 ICMP redirects by default.
V-59565 Medium The operating system must automatically audit account removal actions.
V-59753 Medium The system must prevent local applications from generating source-routed packets.
V-59597 Medium The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-59595 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events.
V-59593 Medium The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components.
V-59591 Medium The operating system must initiate session audits at system startup.
V-59805 Medium The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-59599 Medium The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-59545 Medium Automatic actions must be disabled for blank CDs.
V-59609 Medium Audit log files must be group-owned by wheel.
V-59603 Medium The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-59601 Medium The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-59607 Medium Audit log files must be owned by root.
V-59769 Medium The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
V-59683 Medium The SSH daemon ClientAliveInterval option must be set correctly.
V-59681 Medium End users must not be able to override Gatekeeper settings.
V-59687 Medium The SSH daemon LoginGraceTime must be set correctly.
V-59685 Medium The SSH daemon ClientAliveCountMax option must be set correctly.
V-59761 Medium Secure virtual memory must be used.
V-59571 Medium The NFS daemon must be disabled unless required.
V-59763 Medium Internet Sharing must be disabled.
V-59573 Medium The NFS lock daemon must be disabled unless required.
V-59765 Medium The operating system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
V-59575 Medium The NFS stat daemon must be disabled unless required.
V-59767 Medium The operating system must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
V-59577 Medium The system firewall must be configured with a default-deny policy.
V-59811 Medium System log files must be mode 640 or less permissive.
V-59817 Medium Operating systems sessions must audit non-local maintenance and diagnostic sessions organization-defined audit events.
V-59547 Medium Automatic actions must be disabled for blank DVDs.
V-59541 Medium Wi-Fi support software must be disabled.
V-59543 Medium Infrared [IR] support must be disabled.
V-59549 Medium Automatic actions must be disabled for music CDs.
V-59819 Medium The operating system must audit the execution of privileged functions.
V-59679 Medium The system must allow only applications downloaded from the App Store to run.
V-59815 Medium The operating system must audit the enforcement actions used to restrict access associated with changes to the system.
V-59703 Medium The operating system must not allow an unattended or automatic logon to the system.
V-59553 Medium Automatic actions must be disabled for video DVDs.
V-59701 Medium The usbmuxd daemon must be disabled.
V-59807 Medium The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-59707 Medium The OS X firewall must have logging enabled.
V-59801 Medium Operating systems must enforce a 60-day maximum password lifetime restriction.
V-59705 Medium The login window must be configured to prompt for username and password, rather than show a list of users.
V-59803 Medium The operating system must prohibit password reuse for a minimum of five generations.
V-59709 Medium Bluetooth devices must not be allowed to wake the computer.
V-59559 Medium The operating system must automatically audit account creation.
V-59809 Medium System log files must be owned by root and group-owned by wheel or admin.
V-59669 Medium The operating system must enforce a minimum 15-character password length.
V-59665 Medium The operating system must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-59667 Medium Operating systems must enforce password complexity by requiring that at least one numeric character be used.
V-59663 Medium The operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-59789 Medium All users must use PKI authentication for login and privileged access.
V-59813 Medium ACLs for system log files must be set correctly.
V-59711 Medium Bluetooth Sharing must be disabled.
V-59713 Medium Remote Apple Events must be disabled.
V-59527 Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-59651 Medium Find My Mac messenger must be disabled.
V-59653 Medium Location Services must be disabled.
V-59649 Medium Find My Mac must be disabled.
V-59655 Medium Bonjour multicast advertising must be disabled on the system.
V-59405 Medium The operating system must initiate a session lock after a 15-minute period of inactivity.
V-59657 Medium The UUCP service must be disabled.
V-59799 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-59579 Medium The operating system must generate audit records for privileged activities or other system-level access.
V-59791 Medium The system must be integrated into a directory services infrastructure.
V-59793 Medium The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-59795 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-59797 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify security levels occur.
V-59647 Medium Sending diagnostic and usage data to Apple must be disabled.
V-59645 Medium The system preference panel iCloud must be removed.
V-59729 Medium The finger service must be disabled.
V-59643 Medium Audit log folders must be owned by root.
V-59725 Medium The application firewall must be enabled.
V-59727 Medium All public directories must be owned by root or an application account.
V-59825 Medium Web Sharing must be disabled.
V-59721 Medium The root account must be the only account having a UID of 0.
V-59823 Medium The operating system must enforce an account lockout time period of 15 minutes in which three consecutive invalid logon attempts by a user are made.
V-59821 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-59535 Medium The operating system must monitor remote access methods.
V-59537 Medium The operating system must enforce requirements for remote connections to the information system.
V-59689 Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-59589 Medium The operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-59739 Medium All setuid executables on the system must be vendor-supplied.
V-59733 Medium The prompt for Apple ID and iCloud must be disabled.
V-59731 Medium The sticky bit must be set on all public directories.
V-59587 Medium Any publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-59735 Medium Users must not have Apple IDs signed into iCloud.
V-59659 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-59569 Medium Apple File (AFP) Sharing must be disabled.
V-59629 Low The application FaceTime must be removed.
V-59633 Low The application Messages must be removed.
V-60389 Low The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-59639 Low The application Contacts must be removed.
V-59787 Low AirDrop must be disabled.
V-59641 Low The application Mail must be removed.
V-59723 Low Finder must be set to always empty Trash securely.
V-59539 Low The Bluetooth software driver must be removed.
V-59631 Low The application Game Center must be removed.
V-59637 Low The application Reminders must be removed.
V-59635 Low The application Calendar must be removed.
V-59581 Low The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the GUI.
V-59583 Low The SSH banner must contain the Standard Mandatory DoD Notice and Consent Banner.
V-59585 Low The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-59737 Low iTunes Music Sharing must be disabled.