UCF STIG Viewer Logo

Apple OS X 10.8 (Mountain Lion) Workstation STIG


Overview

Date Finding Count (205)
2015-02-10 CAT I (High): 7 CAT II (Med): 173 CAT III (Low): 25
STIG Description
The Apple OS X 10.8 (Mountain Lion) Workstation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-51417 High The rsh service must be disabled.
V-51655 High The Security assessment policy subsystem must be enabled.
V-51481 High The rexec service must be disabled.
V-51241 High The sudoers file must be configured to authenticate users on a per-tty basis.
V-51355 High The FIPS administrative and cryptographic modules must be installed correctly.
V-51243 High The sudoers file must be configured to require authentication on every use.
V-51687 High The telnet service must be disabled.
V-51453 Medium The input menu must not be shown in the login window.
V-51571 Medium The application App Store must be removed.
V-53863 Medium The iPod Driver must be removed.
V-53867 Medium The system must be integrated into a directory services infrastructure.
V-51579 Medium The application Messages must be removed.
V-53857 Medium The FireWire protocol driver must be removed or disabled.
V-51479 Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-51365 Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-51367 Medium The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-51475 Medium The ability to use corners to disable the screen saver must be disabled.
V-51499 Medium The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-51427 Medium The operating system must protect audit tools from unauthorized access.
V-51677 Medium The OS X firewall must have logging enabled.
V-51675 Medium The operating system must enforce minimum password length.
V-51331 Medium The Operating System must be current and at the latest release level.
V-51673 Medium The flags option must be set in /etc/security/audit_control.
V-51671 Medium The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
V-51527 Medium The root account must be disabled for interactive use.
V-51679 Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
V-51387 Medium System log files must not contain ACLs.
V-51385 Medium System log files must have the correct permissions.
V-51309 Medium The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
V-51381 Medium System log files must be owned by root:wheel.
V-51389 Medium The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
V-51467 Medium A password must be required to unlock each System Preference Pane.
V-51465 Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-51549 Medium Bonjour multicast advertising must be disabled on the system.
V-51463 Medium Shared User Accounts must be disabled.
V-51785 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-51461 Medium The auditing tool, auditd, must be the one provided by Apple, Inc.
V-51547 Medium The system must not have the UUCP service active.
V-51305 Medium The centralized process core dump data directory must have mode 0750 or less permissive.
V-51273 Medium The application firewall must be enabled.
V-51277 Medium Fast User Switching must be disabled.
V-51275 Medium The system must not be allowed to restart after a power failure.
V-53861 Medium The Apple Storage Drivers must be removed or disabled.
V-51373 Medium The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.
V-51279 Medium Kernel core dumps must be disabled unless needed.
V-51371 Medium The operating system must protect the confidentiality and integrity of information at rest.
V-51377 Medium The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
V-51665 Medium The audit log folder must have correct permissions.
V-51667 Medium The audit log files must not contain ACLs.
V-51845 Medium Automatic actions must be disabled for picture CDs.
V-51847 Medium Bluetooth support software must be disabled.
V-53865 Medium All users must use PKI authentication for login and privileged access.
V-51395 Medium The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
V-51397 Medium The operating system must employ automated mechanisms to centrally manage configuration settings.
V-51393 Medium The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
V-51487 Medium Automatic actions must be disabled for blank DVDs.
V-51399 Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
V-51413 Medium Internet Sharing must be disabled.
V-51411 Medium The system firewall must be configured with a default-deny policy.
V-51559 Medium Remote Apple Events must be disabled.
V-51415 Medium Web Sharing must be disabled.
V-53869 Medium The usbmuxd daemon must be disabled.
V-51553 Medium Find My Mac messenger must be disabled.
V-51419 Medium The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-51551 Medium Location Services must be disabled.
V-51557 Medium Sending diagnostic and usage data to Apple must be disabled.
V-51555 Medium Find My Mac must be disabled.
V-51261 Medium Active Directory Access must be securely configured to sign all packets.
V-51263 Medium Active Directory Access must be securely configured to encrypt all packets.
V-51267 Medium An Emergency Administrator Account must be created.
V-51269 Medium The root account must be the only account having a UID of 0.
V-51651 Medium The audit log folder must not have ACLs.
V-51653 Medium The audit log folder must have correct permissions.
V-51657 Medium The audit log folder must be owned by root:wheel.
V-51659 Medium The audit log folder must be owned by root:wheel.
V-51491 Medium Automatic actions must be disabled for video DVDs.
V-51303 Medium The centralized process core dump data directory must be owned by root.
V-51301 Medium Unnecessary packages must not be installed.
V-51663 Medium The password-related hint field must not be used.
V-51401 Medium The operating system must enforce requirements for remote connections to the information system.
V-51403 Medium The operating system must enforce requirements for remote connections to the information system.
V-51405 Medium The operating system must automatically audit account modification.
V-51407 Medium The operating system must automatically audit account disabling actions.
V-51409 Medium The operating system must automatically audit account termination.
V-51623 Medium The network time server must be an authorized DoD time source.
V-51259 Medium The system must not use .forward files.
V-51529 Medium The SSH PermitRootLogin option must be set correctly.
V-51255 Medium Newsyslog must be correctly configured to rotate log files.
V-51257 Medium Administrator accounts must be created with difficult-to-guess names.
V-51251 Medium The default global umask setting must be changed for system processes.
V-51253 Medium Local logging must be enabled.
V-51471 Medium Automatic login must be disabled.
V-51319 Medium The system must prevent local applications from generating source-routed packets.
V-51535 Medium The system must allow only applications downloaded from the App Store to run.
V-51647 Medium The audit log folder must have the correct permissions.
V-51483 Medium The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
V-51473 Medium The operating system must initiate a session lock after the organization-defined time period of inactivity.
V-51313 Medium The system must ignore IPv4 ICMP redirect messages.
V-51493 Medium The operating system must allocate audit record storage capacity.
V-51247 Medium All files and directories contained in interactive user home directories must be owned by the home directorys owner.
V-51929 Medium Infrared [IR] support must be removed.
V-51435 Medium The operating system must take corrective actions, when unauthorized mobile code is identified.
V-51437 Medium The operating system must support the requirement to automatically audit on account creation.
V-51431 Medium The operating system must protect audit tools from unauthorized deletion.
V-51433 Medium The operating system must limit privileges to change software resident within software libraries (including privileged programs).
V-51249 Medium The default global umask setting must be changed for user applications.
V-51537 Medium A configuration profile must exist to restrict launching of applications.
V-51531 Medium End users must not be able to override Gatekeeper settings.
V-51245 Medium All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.
V-51329 Medium Secure virtual memory must be used.
V-51639 Medium The operating system must employ automated mechanisms to centrally verify configuration settings.
V-51485 Medium Automatic actions must be disabled for blank CDs.
V-51321 Medium The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-51631 Medium Audit log files must not contain ACLs.
V-51325 Medium Unused network devices must be disabled.
V-51327 Medium Stealth Mode must be enabled on the firewall.
V-51351 Medium The SSH daemon ClientAliveCountMax option must be set correctly.
V-51633 Medium Apple File Sharing must be disabled.
V-51645 Medium Configuration profiles must be applied to the system.
V-51421 Medium The operating system must use cryptography to protect the integrity of remote access sessions.
V-51323 Medium Audio recording support software must be disabled.
V-51425 Medium The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
V-51509 Medium The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-51333 Medium The CRLStyle option must be set correctly.
V-51317 Medium The system must not send IPv4 ICMP redirects by default.
V-51501 Medium The operating system must provide a real-time alert when organization-defined audit failure events occur.
V-51507 Medium The operating system must employ cryptographic mechanisms to protect information in storage.
V-51339 Medium A host-based firewall must be installed.
V-51629 Medium The NFS daemon must be disabled.
V-51635 Medium Audit Log files must have the correct permissions.
V-51239 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-51359 Medium Video recording support software must be disabled.
V-51237 Medium User home directories must not have extended ACLs.
V-51235 Medium All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed.
V-51307 Medium The centralized process core dump data directory must be group-owned by admin.
V-51233 Medium The ability for administrative accounts to unlock Screen Saver must be disabled.
V-51625 Medium Audit Log files must have the correct permissions.
V-51231 Medium The login window must be configured to prompt for username and password, rather than show a list of users.
V-51627 Medium Audit log files must be owned by root:wheel.
V-51497 Medium The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
V-51295 Medium All setuid executables on the system must be vendor-supplied.
V-51523 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-51447 Medium Bluetooth Sharing must be disabled.
V-51515 Medium The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.
V-51511 Medium The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
V-51443 Medium The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
V-51691 Medium The CRLSufficientPerCert option must be set correctly.
V-51519 Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-51343 Medium DoD proxies must be configured on all active network interfaces.
V-51341 Medium System Preferences must be securely configured so IPv6 is turned off if not being used.
V-51643 Medium The audit log folder must be owned by root:wheel.
V-51347 Medium The SSH daemon ClientAliveInterval option must be set correctly.
V-51459 Medium The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
V-51489 Medium Automatic actions must be disabled for music CDs.
V-51457 Medium The auditing tool, audit, must be the one provided by Apple, Inc.
V-51455 Medium The auditing tool, auditreduce, must be the one provided by Apple, Inc.
V-51619 Medium The NFS lock daemon must be disabled.
V-51451 Medium The auditing tool, praudit, must be the one provided by Apple, Inc.
V-51495 Medium The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
V-51289 Medium Users must not have Apple IDs signed into iCloud.
V-51287 Medium The prompt for Apple ID and iCloud must be disabled.
V-51285 Medium The sticky bit must be set on all public directories.
V-51283 Medium The system must not have the finger service active.
V-51281 Medium All public directories must be owned by root or an application account.
V-51561 Medium The system preference panel iCloud must be removed.
V-51689 Medium There must be no .netrc files on the system.
V-51315 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-51683 Medium The OCSPSufficientPerCert option must be set correctly.
V-51681 Medium The OCSPStyle option must be set correctly.
V-51685 Medium The RevocationFirst option must be set correctly.
V-51603 Medium Application Restrictions must be enabled.
V-51605 Medium The racoon daemon must be disabled.
V-51445 Medium Bluetooth devices must not be allowed to wake the computer.
V-51609 Medium The NFS stat daemon must be disabled.
V-51441 Medium Wi-Fi support software must be disabled.
V-51311 Medium The system must not accept source-routed IPv4 packets.
V-51429 Medium The operating system must protect audit tools from unauthorized modification.
V-51195 Medium The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.
V-53859 Medium The USB mass storage driver must be removed or disabled.
V-51641 Medium Audit log files must be owned by root:wheel.
V-51575 Low The application image capture must be removed.
V-51477 Low The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
V-51541 Low The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives.
V-51543 Low Airdrop must be disabled.
V-51469 Low Automatic logout due to inactivity must be disabled.
V-51271 Low Finder must be set to always empty Trash securely.
V-51265 Low iTunes Store must be disabled.
V-51353 Low The SSH daemon LoginGraceTime must be set correctly.
V-51439 Low The Bluetooth protocol driver must be removed.
V-51539 Low The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives.
V-51581 Low The application iTunes must be removed.
V-51583 Low The application Game Center must be disabled.
V-51621 Low The system must be configured to set the time automatically from a network time server.
V-51291 Low Spotlight Panel must be securely configured.
V-51293 Low iTunes Music Sharing must be disabled.
V-51297 Low iTunes Radio must be disabled.
V-51299 Low iTunes Podcasts must be disabled.
V-51597 Low The application Chess must be removed.
V-51595 Low The application FaceTime must be removed.
V-51593 Low The application Game Center must be removed.
V-51567 Low The application Contacts must be removed.
V-51565 Low The application Mail must be removed.
V-51569 Low The application Calendar must be removed.
V-51601 Low The application PhotoBooth must be removed.
V-51449 Low The operating system must display the DoD-approved system use notification message or banner before granting access to the system.