UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Apple OS X 10.11 Security Technical Implementation Guide


Overview

Date Finding Count (119)
2018-01-04 CAT I (High): 7 CAT II (Med): 98 CAT III (Low): 14
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-67491 High The rshd service must be disabled.
V-67559 High The Security assessment policy subsystem must be enabled.
V-67709 High The sudoers file must be configured to authenticate users on a per-tty basis.
V-67609 High The operating system must implement cryptography to protect the integrity and confidentiality of data during transmission of remote access sessions, non-local maintenance sessions, and diagnostic communications.
V-67751 High The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-79059 High The OS X system must not use unencrypted FTP.
V-67487 High The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-67621 Medium The SSH daemon ClientAliveInterval option must be set correctly.
V-67497 Medium Wi-Fi support software must be disabled.
V-67493 Medium The operating system must enforce requirements for remote connections to the information system.
V-67499 Medium Infrared [IR] support must be disabled.
V-67721 Medium Users must not have Apple IDs signed into iCloud.
V-67725 Medium All setuid executables on the system must be vendor-supplied.
V-67727 Medium The system must not accept source-routed IPv4 packets.
V-67729 Medium The system must ignore IPv4 ICMP redirect messages.
V-67555 Medium Any connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-67553 Medium The operating system must generate audit records for DoD defined events such as: successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
V-67649 Medium The operating system must audit the enforcement actions used to restrict access associated with changes to the system.
V-67661 Medium The operating system must prohibit password reuse for a minimum of five generations.
V-67719 Medium The prompt for Apple ID and iCloud must be disabled.
V-67715 Medium The finger service must be disabled.
V-67717 Medium The sticky bit must be set on all public directories.
V-67711 Medium The application firewall must be enabled.
V-67713 Medium All public directories must be owned by root or an application account.
V-67469 Medium The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-67541 Medium The system firewall must be configured with a default-deny policy.
V-67463 Medium The operating system must initiate a session lock after a 15-minute period of inactivity.
V-67655 Medium System log files must be owned by root and group-owned by wheel or admin.
V-67657 Medium The operating system must generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
V-67467 Medium The operating system must monitor remote access methods.
V-67651 Medium ACLs for system log files must be set correctly.
V-67465 Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-67653 Medium System log files must be mode 640 or less permissive.
V-67703 Medium Bluetooth devices must not be allowed to wake the computer.
V-67701 Medium The OS X firewall must have logging enabled.
V-67707 Medium Remote Apple Events must be disabled.
V-67705 Medium Bluetooth Sharing must be disabled.
V-67479 Medium Audit log files must be mode 440 or less permissive.
V-67471 Medium Audit log files must be owned by root.
V-67663 Medium Operating systems must enforce a 60-day maximum password lifetime restriction.
V-67473 Medium Audit log folders must be owned by root.
V-67475 Medium Audit log files must be group-owned by wheel.
V-67477 Medium Audit log folders must be group-owned by wheel.
V-67689 Medium The operating system must restrict the ability of individuals to use USB storage devices.
V-67681 Medium The operating system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
V-67687 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-67677 Medium The SSH daemon LoginGraceTime must be set correctly.
V-67673 Medium All users must use PKI authentication for login and privileged access.
V-67671 Medium The system must be integrated into a directory services infrastructure.
V-67679 Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-67565 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-67563 Medium A configuration profile must be installed.
V-67561 Medium The operating system must limit privileges to change software resident within software libraries.
V-67699 Medium The login window must be configured to prompt for username and password, rather than show a list of users.
V-67691 Medium The usbmuxd daemon must be disabled.
V-67693 Medium The operating system must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
V-67695 Medium The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
V-67697 Medium The operating system must not allow an unattended or automatic logon to the system.
V-67593 Medium Bonjour multicast advertising must be disabled on the system.
V-67591 Medium Location Services must be disabled.
V-67597 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-67595 Medium The UUCP service must be disabled.
V-67599 Medium The operating system must implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
V-67603 Medium Operating systems must enforce password complexity by requiring that at least one numeric character be used.
V-67483 Medium Log files must not contain ACLs.
V-67607 Medium The operating system must enforce a minimum 15-character password length.
V-67605 Medium The operating system must enforce password complexity by requiring that at least one special character be used.
V-67513 Medium The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-67511 Medium The operating system must automatically remove or disable temporary user accounts after 72 hours.
V-67517 Medium The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-67515 Medium The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-67551 Medium The operating system must initiate session audits at system startup.
V-67583 Medium The system preference panels iCloud and Internet Accounts must be disabled.
V-67585 Medium Sending diagnostic and usage data to Apple must be disabled.
V-67587 Medium Find My Mac must be disabled.
V-67589 Medium Find My Mac messenger must be disabled.
V-67617 Medium The system must allow only applications downloaded from the App Store to run.
V-67619 Medium End users must not be able to override Gatekeeper settings.
V-67509 Medium Automatic actions must be disabled for video DVDs.
V-67501 Medium Automatic actions must be disabled for blank CDs.
V-67753 Medium The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-67503 Medium Automatic actions must be disabled for blank DVDs.
V-67755 Medium Unused network devices must be disabled.
V-67505 Medium Automatic actions must be disabled for music CDs.
V-67507 Medium Automatic actions must be disabled for picture CDs.
V-67535 Medium The NFS daemon must be disabled unless required.
V-67747 Medium The system must not send IPv6 ICMP redirects by default.
V-67537 Medium The NFS lock daemon must be disabled unless required.
V-67745 Medium The system must not send IPv4 ICMP redirects by default.
V-67531 Medium SMB File Sharing must be disabled unless required.
V-67533 Medium Apple File (AFP) Sharing must be disabled.
V-67741 Medium Internet Sharing must be disabled.
V-67539 Medium The NFS stat daemon must be disabled unless required.
V-67623 Medium The SSH daemon ClientAliveCountMax option must be set correctly.
V-67749 Medium The system must prevent local applications from generating source-routed packets.
V-68155 Medium The operating system must generate audit records when successful/unsuccessful attempts to access/modify/delete objects, access/modify categories of information (e.g., classification levels), and delete privileges occur.
V-67733 Medium IP forwarding for IPv6 must not be enabled.
V-67523 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events, for privileged activities or other system-level access, all kernel module load, unload, and restart actions, all program initiations, and organizationally defined events for all non-local maintenance and diagnostic sessions.
V-67731 Medium IP forwarding for IPv4 must not be enabled.
V-67521 Medium The operating system must be configured such that emergency administrator accounts are never automatically disabled.
V-67737 Medium The operating system must enforce an account lockout time period of 15 minutes in which three consecutive invalid logon attempts by a user are made.
V-67735 Medium The operating system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
V-67481 Medium Audit log folders must have mode 700 or less permissive.
V-67739 Medium Web Sharing must be disabled.
V-67485 Medium Log folders must not contain ACLs.
V-67495 Low The Bluetooth software driver must be disabled.
V-67723 Low iTunes Music Sharing must be disabled.
V-67557 Low The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-67547 Low The SSH banner must contain the Standard Mandatory DoD Notice and Consent Banner.
V-67461 Low The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-67571 Low The application Messages must be disabled.
V-67573 Low The application Calendar must be disabled.
V-67575 Low The application Reminders must be disabled.
V-67577 Low The application Contacts must be disabled.
V-67579 Low The application Mail must be disabled.
V-67675 Low AirDrop must be disabled.
V-67569 Low The application Game Center must be disabled.
V-67567 Low The application FaceTime must be disabled.
V-67581 Low The application Notes must be disabled.