UCF STIG Viewer Logo

Apple OS X 10.13 Security Technical Implementation Guide


Overview

Date Finding Count (134)
2021-11-19 CAT I (High): 11 CAT II (Med): 114 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-214810 High The macOS system must be configured to disable rshd service.
V-214868 High The macOS system must not have a guest account.
V-214869 High The macOS system must unload tftpd.
V-214926 High The macOS system must be integrated into a directory services infrastructure.
V-214924 High The macOS system must use a DoD antivirus program.
V-214847 High The macOS system must have the security assessment policy subsystem enabled.
V-214856 High The macOS system must be configured to disable the system preference pane for iCloud.
V-214900 High The macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
V-214809 High The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission.
V-214882 High The macOS system must not use telnet.
V-214883 High The macOS system must not use unencrypted FTP.
V-214813 Medium The macOS system must be configured with Wi-Fi support software disabled.
V-214817 Medium The macOS system must be configured with automatic actions disabled for music CDs.
V-214816 Medium The macOS system must be configured with automatic actions disabled for blank DVDs.
V-214815 Medium The macOS system must be configured with automatic actions disabled for blank CDs.
V-214814 Medium The macOS system must be configured with Infrared [IR] support disabled.
V-214819 Medium The macOS system must be configured with automatic actions disabled for video DVDs.
V-214818 Medium The macOS system must be configured with automatic actions disabled for picture CDs.
V-214899 Medium The macOS system must be configured to disable Remote Apple Events.
V-214898 Medium The macOS system must be configured with Bluetooth Sharing disabled.
V-214893 Medium The macOS system must be configured to not allow iTunes file sharing.
V-214892 Medium The macOS system must restrict the ability of individuals to use USB storage devices.
V-214891 Medium The macOS system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously where HBSS is used; 30 days for any additional internal network scans not covered by HBSS; and annually for external scans by Computer Network Defense Service Provider (CNDSP).
V-214890 Medium The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
V-214897 Medium The macOS system must be configured so that Bluetooth devices are not allowed to wake the computer.
V-214896 Medium The macOS firewall must have logging enabled.
V-214895 Medium The macOS system logon window must be configured to prompt for username and password, rather than show a list of users.
V-214894 Medium The macOS system must not allow an unattended or automatic logon to the system.
V-214862 Medium The macOS system must be configured to disable Location Services.
V-214863 Medium The macOS system must be configured to disable Bonjour multicast advertising.
V-233627 Medium The macOS system must implement an approved Key Exchange Algorithm.
V-233626 Medium The macOS system must use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
V-233625 Medium The macOS system must implement approved Ciphers to protect the confidentiality of SSH connections.
V-214826 Medium The macOS system must be configured to disable the Network File System (NFS) lock daemon unless it is required.
V-214827 Medium The macOS system must be configured to disable the Network File System (NFS) stat daemon unless it is required.
V-214824 Medium The macOS system must be configured to disable Apple File (AFP) Sharing.
V-214825 Medium The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
V-214822 Medium The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
V-214823 Medium The macOS system must be configured to disable SMB File Sharing unless it is required.
V-214820 Medium The macOS system must automatically remove or disable temporary user accounts after 72 hours.
V-214821 Medium The macOS system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
V-214828 Medium The macOS system firewall must be configured with a default-deny policy.
V-214829 Medium The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system.
V-214930 Medium The macOS system must be configured with system log files set to mode 640 or less permissive.
V-214931 Medium The macOS system must be configured with access control lists (ACLs) for system log files to be set correctly.
V-214932 Medium The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
V-214933 Medium The macOS system must be configured to lock the user session when a smart token is removed.
V-214934 Medium The macOS system must enable certificate for smartcards.
V-214935 Medium The macOS system must prohibit user installation of software without explicit privileged status.
V-214923 Medium The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
V-214922 Medium The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
V-214921 Medium The macOS system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user.
V-214920 Medium The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
V-214927 Medium The macOS system must enforce a 60-day maximum password lifetime restriction.
V-214929 Medium The macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
V-214928 Medium The macOS system must prohibit password reuse for a minimum of five generations.
V-214839 Medium The macOS system must be configured with audit log files owned by root.
V-214838 Medium The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
V-214831 Medium The macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-214830 Medium The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
V-214833 Medium The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.
V-214832 Medium The macOS system must generate audit records for DoD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
V-214835 Medium The macOS system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
V-214834 Medium The macOS system must enable System Integrity Protection.
V-214837 Medium The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
V-214836 Medium The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-214916 Medium The macOS system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-214917 Medium The macOS system must have unused network devices disabled.
V-214914 Medium The macOS system must not send IPv6 ICMP redirects by default.
V-214915 Medium The macOS system must prevent local applications from generating source-routed packets.
V-214912 Medium The macOS system must not have IP forwarding for IPv6 enabled.
V-214913 Medium The macOS system must not send IPv4 ICMP redirects by default.
V-214910 Medium The macOS system must ignore IPv4 ICMP redirect messages.
V-214911 Medium The macOS system must not have IP forwarding for IPv4 enabled.
V-214918 Medium The macOS system must be configured to disable Internet Sharing.
V-214919 Medium The macOS system must be configured to disable Web Sharing.
V-214844 Medium The macOS system must be configured with audit log folders set to mode 700 or less permissive.
V-214845 Medium The macOS system must be configured so that log files must not contain access control lists (ACLs).
V-214846 Medium The macOS system must be configured so that log folders must not contain access control lists (ACLs).
V-214840 Medium The macOS system must be configured with audit log folders owned by root.
V-237767 Medium The macOS system must enforce requirements for remote connections to the information
V-214842 Medium The macOS system must be configured with audit log folders group-owned by wheel.
V-214843 Medium The macOS system must be configured with audit log files set to mode 440 or less permissive.
V-214841 Medium The macOS system must be configured with audit log files group-owned by wheel.
V-214859 Medium The macOS system must be configured to disable Siri and dictation.
V-214858 Medium The macOS system must be configured to disable the system preference pane for Siri.
V-214857 Medium The macOS system must be configured to disable the system preference pane for Internet Accounts.
V-214855 Medium The macOS system must cover or disable the built-in or attached camera when not in use.
V-214909 Medium The macOS system must not accept source-routed IPv4 packets.
V-214908 Medium All setuid executables on the macOS system must be documented.
V-214860 Medium The macOS system must be configured to disable sending diagnostic and usage data to Apple.
V-214861 Medium The macOS system must be configured to disable the iCloud Find My Mac service.
V-214866 Medium The macOS system must obtain updates from a DoD-approved update server.
V-214867 Medium The macOS system must not have a root account.
V-214864 Medium The macOS system must be configured to disable the UUCP service.
V-214865 Medium The macOS system must disable the Touch ID feature.
V-214901 Medium The macOS Application Firewall must be enabled.
V-214903 Medium The macOS system must be configured with the finger service disabled.
V-214902 Medium The macOS system must be configured with all public directories owned by root or an application account.
V-214905 Medium The macOS system must be configured with the prompt for Apple ID and iCloud disabled.
V-214904 Medium The macOS system must be configured with the sticky bit set on all public directories.
V-214906 Medium The macOS system must be configured so that users do not have Apple IDs signed into iCloud.
V-214803 Medium The macOS system must be configured to disable hot corners.
V-214804 Medium The macOS system must be configured to prevent Apple Watch from terminating a session lock.
V-214805 Medium The macOS system must initiate a session lock after a 15-minute period of inactivity.
V-214806 Medium The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-214807 Medium The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
V-214808 Medium The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
V-214888 Medium The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
V-214889 Medium The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-214880 Medium The macOS system must enforce password complexity by requiring that at least one special character be used.
V-214881 Medium The macOS system must enforce a minimum 15-character password length.
V-214884 Medium The macOS system must allow only applications that have a valid digital signature to run.
V-214886 Medium The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
V-214887 Medium The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 0.
V-214875 Medium The macOS system must disable iCloud Photo Library.
V-214874 Medium The macOS system must disable iCloud bookmark synchronization.
V-214877 Medium The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-214876 Medium The macOS system must disable iCloud Desktop And Documents.
V-214871 Medium The macOS system must disable iCloud Back to My Mac feature.
V-214870 Medium The macOS system must disable Siri pop-ups.
V-214873 Medium The macOS system must disable iCloud document synchronization.
V-214872 Medium The macOS system must disable iCloud Keychain synchronization.
V-214879 Medium The macOS system must enforce password complexity by requiring that at least one numeric character be used.
V-214878 Medium The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-214812 Low The macOS system must be configured with Bluetooth turned off unless approved by the organization.
V-214925 Low The macOS system must be configured to disable AirDrop.
V-214854 Low The macOS system must be configured to disable the iCloud Notes services.
V-214853 Low The macOS system must be configured to disable the iCloud Mail services.
V-214852 Low The macOS system must be configured to disable iCloud Address Book services.
V-214851 Low The macOS system must be configured to disable the iCloud Reminders services.
V-214850 Low The macOS system must be configured to disable the iCloud Calendar services.
V-214907 Low The macOS system must be configured with iTunes Music Sharing disabled.
V-214802 Low The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.