| V-51417 | High | The rsh service must be disabled. | Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol... |
| V-51655 | High | The Security assessment policy subsystem must be enabled. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-51481 | High | The rexec service must be disabled. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet.
Remote access is... |
| V-51241 | High | The sudoers file must be configured to authenticate users on a per-tty basis. | Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to... |
| V-51355 | High | The FIPS administrative and cryptographic modules must be installed correctly. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing... |
| V-51243 | High | The sudoers file must be configured to require authentication on every use. | Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to... |
| V-51687 | High | The telnet service must be disabled. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them. |
| V-51453 | Medium | The input menu must not be shown in the login window. | Input menu must not be shown in login window. |
| V-51571 | Medium | The application App Store must be removed. | The application App Store must be removed. |
| V-53863 | Medium | The iPod Driver must be removed. | Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives.
In order to prevent propagation and potential infection due to... |
| V-53867 | Medium | The system must be integrated into a directory services infrastructure. | Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active... |
| V-51579 | Medium | The application Messages must be removed. | The application Messages must be removed. |
| V-53857 | Medium | The FireWire protocol driver must be removed or disabled. | Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives.
In order to prevent propagation and potential infection due to... |
| V-51479 | Medium | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.
Remote access is any access to an organizational information system by... |
| V-51365 | Medium | The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy.
For federal agencies operating a legacy public key... |
| V-51367 | Medium | The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-51475 | Medium | The ability to use corners to disable the screen saver must be disabled. | The ability to use corners to disable the screen saver must be disabled. |
| V-51499 | Medium | The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| V-51427 | Medium | The operating system must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-51677 | Medium | The OS X firewall must have logging enabled. | Firewall logging must be enabled. This requirement is NA if HBSS is used. |
| V-51675 | Medium | The operating system must enforce minimum password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.
Password length is one factor of several that helps to determine... |
| V-51331 | Medium | The Operating System must be current and at the latest release level. | The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not... |
| V-51673 | Medium | The flags option must be set in /etc/security/audit_control. | The list of audited events is the set of events for which audits are to be generated.
This set of events is typically a subset of the list of all events for which the system is capable of... |
| V-51671 | Medium | The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components. | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| V-51527 | Medium | The root account must be disabled for interactive use. | The root account must be disabled for interactive use. |
| V-51679 | Medium | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. | Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated.... |
| V-51387 | Medium | System log files must not contain ACLs. | System log files should not contain ACLs. |
| V-51385 | Medium | System log files must have the correct permissions. | System log files should have the correct permissions. |
| V-51309 | Medium | The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address. | The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address. |
| V-51381 | Medium | System log files must be owned by root:wheel. | If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be... |
| V-51389 | Medium | The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| V-51467 | Medium | A password must be required to unlock each System Preference Pane. | A password must be required to access locked System Preferences. |
| V-51465 | Medium | The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| V-51549 | Medium | Bonjour multicast advertising must be disabled on the system. | Bonjour multicast advertising must be disabled on the system. |
| V-51463 | Medium | Shared User Accounts must be disabled. | Shared User Accounts must be disabled. |
| V-51785 | Medium | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the... |
| V-51461 | Medium | The auditing tool, auditd, must be the one provided by Apple, Inc. | The auditing tool, auditd, should be the one provided by Apple, Inc. |
| V-51547 | Medium | The system must not have the UUCP service active. | The system must not have the UUCP service active. |
| V-51305 | Medium | The centralized process core dump data directory must have mode 0750 or less permissive. | The centralized process core dump data directory must have mode "0750' or less permissive. |
| V-51273 | Medium | The application firewall must be enabled. | The application firewall must be enabled. |
| V-51277 | Medium | Fast User Switching must be disabled. | Fast User Switching must be disabled. |
| V-51275 | Medium | The system must not be allowed to restart after a power failure. | The system must not be allowed to restart after a power failure. |
| V-53861 | Medium | The Apple Storage Drivers must be removed or disabled. | Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives.
In order to prevent propagation and potential infection due to... |
| V-51373 | Medium | The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation. | Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report... |
| V-51279 | Medium | Kernel core dumps must be disabled unless needed. | Kernel core dumps must be disabled unless needed. |
| V-51371 | Medium | The operating system must protect the confidentiality and integrity of information at rest. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| V-51377 | Medium | The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components. | The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security... |
| V-51665 | Medium | The audit log folder must have correct permissions. | Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs.
Non-repudiation protects individuals against later... |
| V-51667 | Medium | The audit log files must not contain ACLs. | The audit log files should not contain ACLs. |
| V-51845 | Medium | Automatic actions must be disabled for picture CDs. | Automatic actions must be disabled for picture CDs. |
| V-51847 | Medium | Bluetooth support software must be disabled. | Bluetooth support software must be disabled. |
| V-53865 | Medium | All users must use PKI authentication for login and privileged access. | Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional... |
| V-51395 | Medium | The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access. | Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system.... |
| V-51397 | Medium | The operating system must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-51393 | Medium | The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited. | Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an... |
| V-51487 | Medium | Automatic actions must be disabled for blank DVDs. | Automatic actions must be disabled for blank DVDs. |
| V-51399 | Medium | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| V-51413 | Medium | Internet Sharing must be disabled. | Internet Sharing must be disabled. |
| V-51411 | Medium | The system firewall must be configured with a default-deny policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| V-51559 | Medium | Remote Apple Events must be disabled. | Remote Apple Events must be disabled. |
| V-51415 | Medium | Web Sharing must be disabled. | Web Sharing must be disabled. |
| V-53869 | Medium | The usbmuxd daemon must be disabled. | Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices. |
| V-51553 | Medium | Find My Mac messenger must be disabled. | Find My Mac messenger must be disabled. |
| V-51419 | Medium | The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| V-51551 | Medium | Location Services must be disabled. | Location Services must be disabled. |
| V-51557 | Medium | Sending diagnostic and usage data to Apple must be disabled. | Sending diagnostic and usage data to Apple must be disabled. |
| V-51555 | Medium | Find My Mac must be disabled. | Find My Mac must be disabled. |
| V-51261 | Medium | Active Directory Access must be securely configured to sign all packets. | Active Directory Access must be securely configured to sign all packets. |
| V-51263 | Medium | Active Directory Access must be securely configured to encrypt all packets. | Active Directory Access must be securely configured to encrypt all packets. |
| V-51267 | Medium | An Emergency Administrator Account must be created. | An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location. This emergency... |
| V-51269 | Medium | The root account must be the only account having a UID of 0. | The root account must be the only account having a UID of "0". |
| V-51651 | Medium | The audit log folder must not have ACLs. | The audit log folder should not have ACLs. |
| V-51653 | Medium | The audit log folder must have correct permissions. | Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs.
Non-repudiation protects individuals against later... |
| V-51657 | Medium | The audit log folder must be owned by root:wheel. | Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs.
Non-repudiation protects individuals against later... |
| V-51659 | Medium | The audit log folder must be owned by root:wheel. | Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs.
Non-repudiation protects individuals against later... |
| V-51491 | Medium | Automatic actions must be disabled for video DVDs. | Automatic actions must be disabled for video DVDs. |
| V-51303 | Medium | The centralized process core dump data directory must be owned by root. | The centralized process core dump data directory must be owned by root. |
| V-51301 | Medium | Unnecessary packages must not be installed. | Unnecessary packages must not be installed. |
| V-51663 | Medium | The password-related hint field must not be used. | The password-related hint field must not be used. |
| V-51401 | Medium | The operating system must enforce requirements for remote connections to the information system. | The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the... |
| V-51403 | Medium | The operating system must enforce requirements for remote connections to the information system. | Screen Sharing must be disabled. |
| V-51405 | Medium | The operating system must automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify... |
| V-51407 | Medium | The operating system must automatically audit account disabling actions. | When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and... |
| V-51409 | Medium | The operating system must automatically audit account termination. | Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The... |
| V-51623 | Medium | The network time server must be an authorized DoD time source. | The system must be configured to set the time automatically from a network time server. The network time server must be an authorized DoD time source. |
| V-51259 | Medium | The system must not use .forward files. | The system must not use .forward files. |
| V-51529 | Medium | The SSH PermitRootLogin option must be set correctly. | To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated.
Users (and any processes acting on behalf of users)... |
| V-51255 | Medium | Newsyslog must be correctly configured to rotate log files. | Newsyslog needs to be correctly configured to rotate log files. |
| V-51257 | Medium | Administrator accounts must be created with difficult-to-guess names. | Administrator accounts must be created with difficult-to-guess names. |
| V-51251 | Medium | The default global umask setting must be changed for system processes. | The default global umask setting must be configured correctly for system processes. |
| V-51253 | Medium | Local logging must be enabled. | Local logging must be enabled. |
| V-51471 | Medium | Automatic login must be disabled. | Automatic login must be disabled. |
| V-51319 | Medium | The system must prevent local applications from generating source-routed packets. | The system must prevent local applications from generating source-routed packets. |
| V-51535 | Medium | The system must allow only applications downloaded from the App Store to run. | Gatekeeper settings must be configured correctly. |
| V-51647 | Medium | The audit log folder must have the correct permissions. | The audit log folder should have correct permissions. |
| V-51483 | Medium | The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| V-51473 | Medium | The operating system must initiate a session lock after the organization-defined time period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature... |
| V-51313 | Medium | The system must ignore IPv4 ICMP redirect messages. | The system must ignore IPv4 ICMP redirect messages. |
| V-51493 | Medium | The operating system must allocate audit record storage capacity. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-51247 | Medium | All files and directories contained in interactive user home directories must be owned by the home directorys owner. | All files and directories contained in interactive user home directories must be owned by the home directory's owner. |
| V-51929 | Medium | Infrared [IR] support must be removed. | Infrared [IR] support must be removed. |
| V-51435 | Medium | The operating system must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously.
Mobile code... |
| V-51437 | Medium | The operating system must support the requirement to automatically audit on account creation. | Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process... |
| V-51431 | Medium | The operating system must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-51433 | Medium | The operating system must limit privileges to change software resident within software libraries (including privileged programs). | When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects... |
| V-51249 | Medium | The default global umask setting must be changed for user applications. | The default global umask setting must be changed for user applications. |
| V-51537 | Medium | A configuration profile must exist to restrict launching of applications. | The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what... |
| V-51531 | Medium | End users must not be able to override Gatekeeper settings. | Gatekeeper settings must be configured correctly. |
| V-51245 | Medium | All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member. | All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files... |
| V-51329 | Medium | Secure virtual memory must be used. | Secure virtual memory must be used. |
| V-51639 | Medium | The operating system must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| V-51485 | Medium | Automatic actions must be disabled for blank CDs. | Automatic actions must be disabled for blank CDs. |
| V-51321 | Medium | The system must not process Internet Control Message Protocol [ICMP] timestamp requests. | The system must not process Internet Control Message Protocol [ICMP] timestamp requests. |
| V-51631 | Medium | Audit log files must not contain ACLs. | Audit log files should not contain ACLs. |
| V-51325 | Medium | Unused network devices must be disabled. | Unused network devices must be disabled. |
| V-51327 | Medium | Stealth Mode must be enabled on the firewall. | Stealth Mode must be enabled on the firewall. |
| V-51351 | Medium | The SSH daemon ClientAliveCountMax option must be set correctly. | This requirement applies to both internal and external networks.
Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs... |
| V-51633 | Medium | Apple File Sharing must be disabled. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-51645 | Medium | Configuration profiles must be applied to the system. | Configuration settings are the configurable security-related parameters of the operating system.
Security-related parameters are those parameters impacting the security state of the system... |
| V-51421 | Medium | The operating system must use cryptography to protect the integrity of remote access sessions. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network.
If cryptography is... |
| V-51323 | Medium | Audio recording support software must be disabled. | Audio recording support software must be disabled. |
| V-51425 | Medium | The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network.
Remote access to... |
| V-51509 | Medium | The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-51333 | Medium | The CRLStyle option must be set correctly. | A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-51317 | Medium | The system must not send IPv4 ICMP redirects by default. | The system must not send IPv4 ICMP redirects by default. |
| V-51501 | Medium | The operating system must provide a real-time alert when organization-defined audit failure events occur. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| V-51507 | Medium | The operating system must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
| V-51339 | Medium | A host-based firewall must be installed. | Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation... |
| V-51629 | Medium | The NFS daemon must be disabled. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-51635 | Medium | Audit Log files must have the correct permissions. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-51239 | Medium | Device files and directories must only be writable by users with a system account or as configured by the vendor. | Device files and directories must only be writable by users with a system account or as configured by the vendor. |
| V-51359 | Medium | Video recording support software must be disabled. | Video recording support software must be disabled. |
| V-51237 | Medium | User home directories must not have extended ACLs. | User home directories must not have extended ACLs. |
| V-51235 | Medium | All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed. | All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed. |
| V-51307 | Medium | The centralized process core dump data directory must be group-owned by admin. | The centralized process core dump data directory must be group-owned by admin. |
| V-51233 | Medium | The ability for administrative accounts to unlock Screen Saver must be disabled. | The ability for administrative accounts to unlock Screen Saver must be disabled. |
| V-51625 | Medium | Audit Log files must have the correct permissions. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit... |
| V-51231 | Medium | The login window must be configured to prompt for username and password, rather than show a list of users. | The login window must be configured to prompt for username and password, rather than show a list of users. |
| V-51627 | Medium | Audit log files must be owned by root:wheel. | Audit log files should be owned by root:wheel. |
| V-51497 | Medium | The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). | It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware... |
| V-51295 | Medium | All setuid executables on the system must be vendor-supplied. | All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation,... |
| V-51523 | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-51447 | Medium | Bluetooth Sharing must be disabled. | Bluetooth Sharing must be disabled. |
| V-51515 | Medium | The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account. | When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event... |
| V-51511 | Medium | The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| V-51443 | Medium | The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. | The auditing system must be configured to audit authentication and authorization events. |
| V-51691 | Medium | The CRLSufficientPerCert option must be set correctly. | A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-51519 | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-51343 | Medium | DoD proxies must be configured on all active network interfaces. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP... |
| V-51341 | Medium | System Preferences must be securely configured so IPv6 is turned off if not being used. | System Preferences must be securely configured so IPv6 is turned off if not being used. |
| V-51643 | Medium | The audit log folder must be owned by root:wheel. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-51347 | Medium | The SSH daemon ClientAliveInterval option must be set correctly. | This requirement applies to both internal and external networks.
Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs... |
| V-51459 | Medium | The operating system, upon successful logon, must display to the user the date and time of the last logon (access). | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if... |
| V-51489 | Medium | Automatic actions must be disabled for music CDs. | Automatic actions must be disabled for music CDs. |
| V-51457 | Medium | The auditing tool, audit, must be the one provided by Apple, Inc. | The auditing tool, audit, should be the one provided by Apple, Inc. |
| V-51455 | Medium | The auditing tool, auditreduce, must be the one provided by Apple, Inc. | The auditing tool, auditreduce, should be the one provided by Apple, Inc. |
| V-51619 | Medium | The NFS lock daemon must be disabled. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-51451 | Medium | The auditing tool, praudit, must be the one provided by Apple, Inc. | Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was... |
| V-51495 | Medium | The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| V-51289 | Medium | Users must not have Apple IDs signed into iCloud. | Users should not have Apple ID's signed into iCloud. |
| V-51287 | Medium | The prompt for Apple ID and iCloud must be disabled. | The prompt for Apple ID and iCloud must be disabled. |
| V-51285 | Medium | The sticky bit must be set on all public directories. | The sticky bit must be set on all public directories. |
| V-51283 | Medium | The system must not have the finger service active. | The system must not have the finger service active. |
| V-51281 | Medium | All public directories must be owned by root or an application account. | All public directories must be owned by root or an application account. |
| V-51561 | Medium | The system preference panel iCloud must be removed. | The system preference panel iCloud must be removed. |
| V-51689 | Medium | There must be no .netrc files on the system. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. There must be no... |
| V-51315 | Medium | IP forwarding for IPv4 must not be enabled, unless the system is a router. | IP forwarding for IPv4 must not be enabled, unless the system is a router. |
| V-51683 | Medium | The OCSPSufficientPerCert option must be set correctly. | A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-51681 | Medium | The OCSPStyle option must be set correctly. | A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-51685 | Medium | The RevocationFirst option must be set correctly. | A trust anchor is an authoritative entity represented via a public key and associated data.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| V-51603 | Medium | Application Restrictions must be enabled. | Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-51605 | Medium | The racoon daemon must be disabled. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-51445 | Medium | Bluetooth devices must not be allowed to wake the computer. | Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer. |
| V-51609 | Medium | The NFS stat daemon must be disabled. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| V-51441 | Medium | Wi-Fi support software must be disabled. | Wi-Fi support software must be disabled. |
| V-51311 | Medium | The system must not accept source-routed IPv4 packets. | The system must not accept source-routed IPv4 packets. |
| V-51429 | Medium | The operating system must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-51195 | Medium | The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account. | When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists.
To address this, in the... |
| V-53859 | Medium | The USB mass storage driver must be removed or disabled. | Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives.
In order to prevent propagation and potential infection due to... |
| V-51641 | Medium | Audit log files must be owned by root:wheel. | Audit log files should be owned by root:wheel. |
| V-51575 | Low | The application image capture must be removed. | The application Image Capture must be removed. |
| V-51477 | Low | The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature... |
| V-51541 | Low | The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users.
Backups... |
| V-51543 | Low | Airdrop must be disabled. | Airdrop must be disabled. |
| V-51469 | Low | Automatic logout due to inactivity must be disabled. | Automatic logout due to inactivity must be disabled. |
| V-51271 | Low | Finder must be set to always empty Trash securely. | Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored. |
| V-51265 | Low | iTunes Store must be disabled. | iTunes Store must be disabled. |
| V-51353 | Low | The SSH daemon LoginGraceTime must be set correctly. | LoginGraceTime must be securely configured in /etc/sshd_config. |
| V-51439 | Low | The Bluetooth protocol driver must be removed. | Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can... |
| V-51539 | Low | The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability.
System-level information includes system-state information, operating system and application software,... |
| V-51581 | Low | The application iTunes must be removed. | The application iTunes must be removed. |
| V-51583 | Low | The application Game Center must be disabled. | The application Game Center must be disabled. |
| V-51621 | Low | The system must be configured to set the time automatically from a network time server. | The system must be configured to set the time automatically from a network time server. |
| V-51291 | Low | Spotlight Panel must be securely configured. | Spotlight Panel must be securely configured. |
| V-51293 | Low | iTunes Music Sharing must be disabled. | iTunes Music Sharing must be disabled. |
| V-51297 | Low | iTunes Radio must be disabled. | iTunes Radio must be disabled. |
| V-51299 | Low | iTunes Podcasts must be disabled. | iTunes Podcasts must be disabled. |
| V-51597 | Low | The application Chess must be removed. | The application Chess must be removed. |
| V-51595 | Low | The application FaceTime must be removed. | The application FaceTime must be removed. |
| V-51593 | Low | The application Game Center must be removed. | The application Game Center must be removed. |
| V-51567 | Low | The application Contacts must be removed. | The application Contacts must be removed. |
| V-51565 | Low | The application Mail must be removed. | The application Mail must be removed. |
| V-51569 | Low | The application Calendar must be removed. | The application Calendar must be removed. |
| V-51601 | Low | The application PhotoBooth must be removed. | The application Photo Booth must be removed. |
| V-51449 | Low | The operating system must display the DoD-approved system use notification message or banner before granting access to the system. | The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far... |
