UCF STIG Viewer Logo

Apple OS X 10.13 Security Technical Implementation Guide


Overview

Date Finding Count (134)
2019-07-01 CAT I (High): 10 CAT II (Med): 113 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-81733 High The macOS system must be integrated into a directory services infrastructure.
V-81729 High The macOS system must use a DoD antivirus program.
V-81645 High The macOS system must not use unencrypted FTP.
V-81643 High The macOS system must not use telnet.
V-81555 High The macOS system must have the security assessment policy subsystem enabled.
V-81477 High The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission.
V-81479 High The macOS system must be configured to disable rshd service.
V-81679 High The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
V-81615 High The macOS system must not have a guest account.
V-81617 High The macOS system must unload tftpd.
V-81501 Medium The macOS system must automatically remove or disable temporary user accounts after 72 hours.
V-81503 Medium The macOS system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-81505 Medium The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
V-81507 Medium The macOS system must be configured to disable SMB File Sharing unless it is required.
V-81509 Medium The macOS system must be configured to disable Apple File (AFP) Sharing.
V-81625 Medium The macOS system must disable iCloud document synchronization.
V-81481 Medium The macOS system must enforce requirements for remote connections to the information system.
V-81627 Medium The macOS system must disable iCloud bookmark synchronization.
V-81621 Medium The macOS system must disable iCloud Back to My Mac feature.
V-81623 Medium The macOS system must disable iCloud Keychain synchronization.
V-81629 Medium The macOS system must disable iCloud Photo Library.
V-81749 Medium The macOS system must enable certificate for smartcards.
V-81747 Medium The macOS system must be configured to lock the user session when a smart token is removed.
V-81745 Medium The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
V-81743 Medium The macOS system must be configured with access control lists (ACLs) for system log files to be set correctly.
V-81741 Medium The macOS system must be configured with system log files set to mode 640 or less permissive.
V-81641 Medium The macOS system must enforce a minimum 15-character password length.
V-81539 Medium The macOS system must be configured with audit log files owned by root.
V-81535 Medium The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-81537 Medium The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
V-81531 Medium The macOS system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
V-81533 Medium The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-81633 Medium The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-81631 Medium The macOS system must disable iCloud Desktop And Documents.
V-81637 Medium The macOS system must enforce password complexity by requiring that at least one numeric character be used.
V-81635 Medium The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-81639 Medium The macOS system must enforce password complexity by requiring that at least one special character be used.
V-81739 Medium The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
V-81737 Medium The macOS system must prohibit password reuse for a minimum of five generations.
V-81735 Medium The macOS system must enforce a 60-day maximum password lifetime restriction.
V-81529 Medium The macOS system must enable System Integrity Protection.
V-81523 Medium The macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-81521 Medium The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-81527 Medium The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.
V-81525 Medium The macOS system must generate audit records for DoD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
V-81647 Medium The macOS system must allow only applications downloaded from the App Store or properly signed to run.
V-81487 Medium The macOS system must be configured with Infrared [IR] support disabled.
V-81489 Medium The macOS system must be configured with automatic actions disabled for blank CDs.
V-81721 Medium The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
V-81723 Medium The macOS system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user.
V-81725 Medium The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
V-81649 Medium The macOS system must be configured so that end users cannot override Gatekeeper settings.
V-81727 Medium The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
V-81549 Medium The macOS system must be configured with audit log folders set to mode 700 or less permissive.
V-81715 Medium The macOS system must have unused network devices disabled.
V-81717 Medium The macOS system must be configured to disable Internet Sharing.
V-81485 Medium The macOS system must be configured with Wi-Fi support software disabled.
V-81711 Medium The macOS system must prevent local applications from generating source-routed packets.
V-81553 Medium The macOS system must be configured so that log folders must not contain access control lists (ACLs).
V-81551 Medium The macOS system must be configured so that log files must not contain access control lists (ACLs).
V-81655 Medium The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
V-81657 Medium The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-81651 Medium The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
V-81499 Medium The macOS system must be configured with automatic actions disabled for video DVDs.
V-81497 Medium The macOS system must be configured with automatic actions disabled for picture CDs.
V-81493 Medium The macOS system must be configured with automatic actions disabled for music CDs.
V-81491 Medium The macOS system must be configured with automatic actions disabled for blank DVDs.
V-81467 Medium The macOS system must be configured to prevent Apple Watch from terminating a session lock.
V-81465 Medium The macOS system must be configured to disable hot corners.
V-81469 Medium The macOS system must initiate a session lock after a 15-minute period of inactivity.
V-81703 Medium The macOS system must not have IP forwarding for IPv6 enabled.
V-81701 Medium The macOS system must not have IP forwarding for IPv4 enabled.
V-81707 Medium The macOS system must not send IPv6 ICMP redirects by default.
V-81705 Medium The macOS system must not send IPv4 ICMP redirects by default.
V-81545 Medium The macOS system must be configured with audit log folders group-owned by wheel.
V-81547 Medium The macOS system must be configured with audit log files set to mode 440 or less permissive.
V-81541 Medium The macOS system must be configured with audit log folders owned by root.
V-81543 Medium The macOS system must be configured with audit log files group-owned by wheel.
V-81661 Medium The macOS system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously where HBSS is used; 30 days for any additional internal network scans not covered by HBSS; and annually for external scans by Computer Network Defense Service Provider (CNDSP).
V-81663 Medium The macOS system must restrict the ability of individuals to use USB storage devices.
V-81665 Medium The macOS system must be configured to not allow iTunes file sharing.
V-81667 Medium The macOS system must not allow an unattended or automatic logon to the system.
V-81669 Medium The macOS system logon window must be configured to prompt for username and password, rather than show a list of users.
V-81471 Medium The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-81473 Medium The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
V-81475 Medium The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
V-81579 Medium The macOS system must be configured to disable Siri and dictation.
V-81713 Medium The macOS system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-81571 Medium The macOS system must be configured to disable the camera.
V-81573 Medium The macOS system must be configured to disable the system preference pane for iCloud.
V-81575 Medium The macOS system must be configured to disable the system preference pane for Internet Accounts.
V-81577 Medium The macOS system must be configured to disable the system preference pane for Siri.
V-81677 Medium The macOS system must be configured to disable Remote Apple Events.
V-81675 Medium The macOS system must be configured with Bluetooth Sharing disabled.
V-81673 Medium The macOS system must be configured so that Bluetooth devices are not allowed to wake the computer.
V-81671 Medium The macOS firewall must have logging enabled.
V-81719 Medium The macOS system must be configured to disable Web Sharing.
V-81683 Medium The macOS system must be configured with all public directories owned by root or an application account.
V-81681 Medium The macOS Application Firewall must be enabled.
V-81687 Medium The macOS system must be configured with the sticky bit set on all public directories.
V-81685 Medium The macOS system must be configured with the finger service disabled.
V-81689 Medium The macOS system must be configured with the prompt for Apple ID and iCloud disabled.
V-81609 Medium The macOS system must disable the Touch ID feature.
V-81603 Medium The macOS system must be configured to disable Location Services.
V-81601 Medium The macOS system must be configured to disable the iCloud Find My Mac service.
V-81607 Medium The macOS system must be configured to disable the UUCP service.
V-81605 Medium The macOS system must be configured to disable Bonjour multicast advertising.
V-81653 Medium The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 0.
V-81513 Medium The macOS system must be configured to disable the Network File System (NFS) lock daemon unless it is required.
V-81691 Medium The macOS system must be configured so that users do not have Apple IDs signed into iCloud.
V-81511 Medium The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
V-81517 Medium The macOS system firewall must be configured with a default-deny policy.
V-81695 Medium All setuid executables on the macOS system must be documented.
V-81515 Medium The macOS system must be configured to disable the Network File System (NFS) stat daemon unless it is required.
V-81697 Medium The macOS system must not accept source-routed IPv4 packets.
V-81699 Medium The macOS system must ignore IPv4 ICMP redirect messages.
V-81519 Medium The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system.
V-81659 Medium The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
V-81751 Medium The macOS system must prohibit user installation of software without explicit privileged status.
V-81619 Medium The macOS system must disable Siri pop-ups.
V-81599 Medium The macOS system must be configured to disable sending diagnostic and usage data to Apple.
V-81611 Medium The macOS system must obtain updates from a DoD-approved update server.
V-81613 Medium The macOS system must not have a root account.
V-81483 Low The macOS system must be configured with Bluetooth turned off unless approved by the organization.
V-81731 Low The macOS system must be configured to disable AirDrop.
V-81559 Low The macOS system must be configured to disable the application Messages.
V-81557 Low The macOS system must be configured to disable the application FaceTime.
V-81463 Low The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-81567 Low The macOS system must be configured to disable the iCloud Mail services.
V-81565 Low The macOS system must be configured to disable iCloud Address Book services.
V-81563 Low The macOS system must be configured to disable the iCloud Reminders services.
V-81561 Low The macOS system must be configured to disable the iCloud Calendar services.
V-81569 Low The macOS system must be configured to disable the iCloud Notes services.
V-81693 Low The macOS system must be configured with iTunes Music Sharing disabled.