UCF STIG Viewer Logo

Apple OS X 10.12 Security Technical Implementation Guide


Overview

Date Finding Count (121)
2018-04-09 CAT I (High): 7 CAT II (Med): 103 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-76035 High The OS X system must have the security assessment policy subsystem enabled.
V-75959 High The OS X system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission.
V-75961 High The OS X system must be configured to disable rshd service.
V-76117 High The OS X system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
V-76083 High The OS X system must not use unencrypted FTP.
V-76081 High The OS X system must not use telnet.
V-76163 High The OS X system must use a DoD anti-virus program.
V-76159 Medium The OS X system must automatically lock the account when three unsuccessful logon attempts in 15 minutes are exceeded.
V-76155 Medium The OS X system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
V-76157 Medium The OS X system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-76151 Medium The OS X system must be configured to disable Internet Sharing.
V-76153 Medium The OS X system must be configured to disable Web Sharing.
V-76019 Medium The OS X system must be configured with audit log files owned by root.
V-76015 Medium The OS X system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-76017 Medium The OS X system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
V-76011 Medium The OS X system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
V-76013 Medium The OS X system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-76149 Medium The OS X system must have unused network devices disabled.
V-76143 Medium The OS X system must not send IPv6 ICMP redirects by default.
V-76141 Medium The OS X system must not send IPv4 ICMP redirects by default.
V-76147 Medium The OS X system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-76145 Medium The OS X system must prevent local applications from generating source-routed packets.
V-76029 Medium The OS X system must be configured with audit log folders set to mode 700 or less permissive.
V-76021 Medium The OS X system must be configured with audit log folders owned by root.
V-76023 Medium The OS X system must be configured with audit log files group-owned by wheel.
V-76025 Medium The OS X system must be configured with audit log folders group-owned by wheel.
V-76027 Medium The OS X system must be configured with audit log files set to mode 440 or less permissive.
V-75947 Medium The OS X system must be configured to disable hot corners.
V-75949 Medium The OS X system must be configured to prevent Apple Watch from terminating a session lock.
V-76033 Medium The OS X system must be configured so that log folders must not contain access control lists (ACLs).
V-76031 Medium The OS X system must be configured so that log files must not contain access control lists (ACLs).
V-76139 Medium The OS X system must not have IP forwarding for IPv6 enabled.
V-76137 Medium The OS X system must not have IP forwarding for IPv4 enabled.
V-76135 Medium The OS X system must ignore IPv4 ICMP redirect messages.
V-76133 Medium All setuid executables on the OS X system must be documented.
V-75951 Medium The OS X system must initiate a session lock after a 15-minute period of inactivity.
V-75953 Medium The OS X system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-75955 Medium The OS X system must initiate the session lock no more than five seconds after a screen saver is started.
V-75957 Medium The OS X system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
V-76129 Medium The OS X system must be configured so that users do not have Apple IDs signed into iCloud.
V-76125 Medium The OS X system must be configured with the sticky bit set on all public directories.
V-76127 Medium The OS X system must be configured with the prompt for Apple ID and iCloud disabled.
V-76121 Medium The OS X system must be configured with all public directories owned by root or an application account.
V-76123 Medium The OS X system must be configured with the finger service disabled.
V-76183 Medium The OS X system must prohibit user installation of software without explicit privileged status.
V-76181 Medium The OS X system must be configured to lock the user session when a smart token is removed.
V-75969 Medium The OS X system must be configured with Infrared [IR] support disabled.
V-75967 Medium The OS X system must be configured with Wi-Fi support software disabled.
V-75963 Medium The OS X system must enforce requirements for remote connections to the information system.
V-76051 Medium The OS X system must be configured to disable the camera.
V-76053 Medium The OS X system must be configured to disable the system preference pane for iCloud.
V-76055 Medium The OS X system must be configured to disable the system preference pane for Internet Accounts.
V-76057 Medium The OS X system must be configured to disable the system preference pane for Siri.
V-76059 Medium The OS X system must be configured to disable Siri and dictation.
V-76119 Medium The OS X Application Firewall must be enabled.
V-76111 Medium The OS X system must be configured so that Bluetooth devices are not allowed to wake the computer.
V-76113 Medium The OS X system must be configured with Bluetooth Sharing disabled.
V-76115 Medium The OS X system must be configured to disable Remote Apple Events.
V-75979 Medium The OS X system must be configured with automatic actions disabled for video DVDs.
V-75973 Medium The OS X system must be configured with automatic actions disabled for blank DVDs.
V-75971 Medium The OS X system must be configured with automatic actions disabled for blank CDs.
V-75977 Medium The OS X system must be configured with automatic actions disabled for picture CDs.
V-75975 Medium The OS X system must be configured with automatic actions disabled for music CDs.
V-76107 Medium The OS X system logon window must be configured to prompt for username and password, rather than show a list of users.
V-76105 Medium The OS X system must not allow an unattended or automatic logon to the system.
V-76069 Medium The OS X system must be configured to disable the UUCP service.
V-76103 Medium The OS X system must be configured with the usbmuxd daemon disabled.
V-76101 Medium The OS X system must restrict the ability of individuals to use USB storage devices.
V-76065 Medium The OS X system must be configured to disable Location Services.
V-76067 Medium The OS X system must be configured to disable Bonjour multicast advertising.
V-76061 Medium The OS X system must be configured to disable sending diagnostic and usage data to Apple.
V-76063 Medium The OS X system must be configured to disable the Find My Mac iCloud service.
V-76109 Medium The OS X firewall must have logging enabled.
V-76269 Medium The OS X system must not accept source-routed IPv4 packets.
V-76087 Medium The OS X system must be configured so that end users cannot override Gatekeeper settings.
V-76085 Medium The OS X system must allow only applications downloaded from the App Store to run.
V-76089 Medium The OS X system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
V-76173 Medium The OS X system must be configured with system log files owned by root and group-owned by wheel or admin.
V-76171 Medium The OS X system must prohibit password reuse for a minimum of five generations.
V-76079 Medium The OS X system must enforce a minimum 15-character password length.
V-76177 Medium The OS X system must be configured with access control lists (ACLs) for system log files to be set correctly.
V-76175 Medium The OS X system must be configured with system log files set to mode 640 or less permissive.
V-76073 Medium The OS X system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-76179 Medium The OS X system must audit the enforcement actions used to restrict access associated with changes to the system.
V-76071 Medium The OS X system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-76077 Medium The OS X system must enforce password complexity by requiring that at least one special character be used.
V-76075 Medium The OS X system must enforce password complexity by requiring that at least one numeric character be used.
V-75987 Medium The OS X system must be configured to disable SMB File Sharing unless it is required.
V-75985 Medium The OS X system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
V-75983 Medium The OS X system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-75981 Medium The OS X system must automatically remove or disable temporary user accounts after 72 hours.
V-75989 Medium The OS X system must be configured to disable Apple File (AFP) Sharing.
V-76095 Medium The OS X system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-76097 Medium The OS X system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
V-76091 Medium The OS X system must be configured with the SSH daemon ClientAliveCountMax option set to 0.
V-76093 Medium The OS X system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
V-76099 Medium The OS X system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously where HBSS is used; 30 days for any additional internal network scans not covered by HBSS; and annually for external scans by Computer Network Defense Service Provider (CNDSP).
V-76161 Medium The OS X system must shut down by default upon audit failure (unless availability is an overriding concern).
V-76167 Medium The OS X system must be integrated into a directory services infrastructure.
V-76169 Medium The OS X system must enforce a 60-day maximum password lifetime restriction.
V-75995 Medium The OS X system must be configured to disable the Network File System (NFS) stat daemon unless it is required.
V-75997 Medium The OS X system firewall must be configured with a default-deny policy.
V-75991 Medium The OS X system must be configured to disable the Network File System (NFS) daemon unless it is required.
V-76009 Medium The OS X system must enable System Integrity Protection.
V-75993 Medium The OS X system must be configured to disable the Network File System (NFS) lock daemon unless it is required.
V-76007 Medium The OS X system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.
V-76005 Medium The OS X system must generate audit records for DoD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
V-76003 Medium The OS X system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-75999 Medium The OS X system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system.
V-76001 Medium The OS X system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-75945 Low The OS X system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-76037 Low The OS X system must be configured to disable the application FaceTime.
V-76039 Low The OS X system must be configured to disable the application Messages.
V-76131 Low The OS X system must be configured with iTunes Music Sharing disabled.
V-76043 Low The OS X system must be configured to disable the iCloud Reminders services.
V-76041 Low The OS X system must be configured to disable the iCloud Calendar services.
V-76047 Low The OS X system must be configured to disable the Mail iCloud services.
V-76045 Low The OS X system must be configured to disable iCloud Address Book services.
V-76049 Low The OS X system must be configured to disable the iCloud Notes services.
V-75965 Low The OS X system must be configured with Bluetooth turned off unless approved by the organization.
V-76165 Low The OS X system must be configured to disable AirDrop.