The macOS system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-96001 | AOSX-14-005051 | SV-105139r1_rule | Medium |
| Description |
|---|
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. |
| STIG | Date |
|---|---|
| Apple OS X 10.14 (Mojave) Security Technical Implementation Guide | 2019-07-23 |
Details
| Check Text ( C-94833r1_chk ) |
|---|
| Ask the System Administrator (SA) or Information System Security Officer (ISSO) if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If no firewall is installed on the system, this is a finding. If a firewall is installed and it is not configured with a "default-deny" policy, this is a finding. |
| Fix Text (F-101671r1_fix) |
|---|
| Install an approved HBSS or firewall solution onto the system and configure it with a "default-deny" policy. Modify the check to verify that signed binaries cannot automatically accept connections. Update default deny incoming and outgoing with allow for ssh store and activation. |