UCF STIG Viewer Logo

Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide


Overview

Date Finding Count (134)
2015-02-26 CAT I (High): 10 CAT II (Med): 118 CAT III (Low): 6
STIG Description
The Apple OS X 10.9 Workstation Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-58341 High The Security assessment policy subsystem must be enabled.
V-58263 High The rshd service must be disabled.
V-58261 High The operating system must implement cryptography to protect the integrity of remote access sessions.
V-58475 High The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
V-58375 High Operating systems used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
V-58377 High The operating system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-58371 High The operating system must transmit only cryptographically-protected passwords.
V-58373 High Operating systems used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
V-58415 High The sudoers file must be configured to authenticate users on a per-tty basis.
V-58259 High The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-58353 Medium Find My Mac messenger must be disabled.
V-58351 Medium Find My Mac must be disabled.
V-58299 Medium The NFS daemon must be disabled.
V-58357 Medium Bonjour multicast advertising must be disabled on the system.
V-58355 Medium Location Services must be disabled.
V-58293 Medium The operating system must automatically audit account removal actions.
V-58359 Medium The system must not have the UUCP service active.
V-58291 Medium The operating system must automatically audit account disabling actions.
V-58511 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-58297 Medium Apple File (AFP) Sharing must be disabled.
V-58295 Medium SMB File Sharing must be disabled.
V-58459 Medium System Preferences must be securely configured so IPv6 is turned off if not being used.
V-58455 Medium The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
V-58457 Medium Unused network devices must be disabled.
V-58451 Medium The system must not send IPv6 ICMP redirects by default.
V-58453 Medium The system must prevent local applications from generating source-routed packets.
V-58343 Medium A configuration profile must be installed.
V-58345 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-58347 Medium The system preference panel iCloud must be removed.
V-58349 Medium Sending diagnostic and usage data to Apple must be disabled.
V-58501 Medium System log files must be mode 640 or less permissive.
V-58507 Medium Operating systems sessions must audit non-local maintenance and diagnostic sessions organization-defined audit events.
V-58505 Medium The operating system must audit the enforcement actions used to restrict access associated with changes to the system.
V-58469 Medium The operating system must enforce a lockout expiration of 15 minutes after three consecutive invalid logon attempts by a user.
V-58461 Medium Secure virtual memory must be used.
V-58463 Medium Internet Sharing must be disabled.
V-58465 Medium Web Sharing must be disabled.
V-58467 Medium The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
V-58265 Medium The operating system must enforce requirements for remote connections to the information system.
V-58269 Medium Wi-Fi support software must be disabled.
V-58379 Medium The system must allow only applications downloaded from the App Store to run.
V-58473 Medium The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
V-58471 Medium The operating system must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
V-58479 Medium All users must use PKI authentication for login and privileged access.
V-58275 Medium Automatic actions must be disabled for blank DVDs.
V-58277 Medium Automatic actions must be disabled for music CDs.
V-58271 Medium Infrared [IR] support must be disabled.
V-58273 Medium Automatic actions must be disabled for blank CDs.
V-58279 Medium Automatic actions must be disabled for picture CDs.
V-58403 Medium The operating system must not allow an unattended or automatic logon to the system.
V-58401 Medium The usbmuxd daemon must be disabled.
V-58369 Medium The operating system must enforce a minimum 15-character password length.
V-58407 Medium The OS X firewall must have logging enabled.
V-58405 Medium The login window must be configured to prompt for username and password, rather than show a list of users.
V-58363 Medium The operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-58409 Medium Bluetooth devices must not be allowed to wake the computer.
V-58361 Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
V-58367 Medium Operating systems must enforce password complexity by requiring that at least one numeric character be used.
V-58365 Medium The operating system must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-58895 Medium Audit log files must be group-owned by wheel.
V-58897 Medium Audit log folders must be group-owned by wheel.
V-58891 Medium Audit log files must be owned by root.
V-58893 Medium Audit log folders must be owned by root.
V-58899 Medium Log folders must not contain ACLs.
V-58489 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-58483 Medium The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
V-58481 Medium The system must be integrated into a directory services infrastructure.
V-58487 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify security levels occur.
V-58485 Medium The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-58257 Medium The operating system must monitor remote access methods.
V-58411 Medium Bluetooth Sharing must be disabled.
V-58413 Medium Remote Apple Events must be disabled.
V-58417 Medium The default global umask setting must be changed for user applications.
V-58419 Medium The default global umask setting must be changed for system processes.
V-58253 Medium The operating system must initiate a session lock after a 15-minute period of inactivity.
V-58319 Medium The operating system must generate audit records for all account creations, modifications, disabling, and termination events.
V-58317 Medium The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components.
V-58315 Medium The operating system must initiate session audits at system startup.
V-58313 Medium The operating system must generate audit records when successful/unsuccessful logon attempts occur.
V-58311 Medium Any publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-58397 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-58499 Medium System log files must be owned by root and group-owned by wheel or admin.
V-58395 Medium The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on organization-defined information system components.
V-58393 Medium The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on organization-defined information system components.
V-58391 Medium The operating system must protect the confidentiality and integrity of all information at rest.
V-58491 Medium Operating systems must enforce a 60-day maximum password lifetime restriction.
V-58255 Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-58495 Medium The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-58399 Medium The operating system must restrict the ability of individuals to use USB storage devices.
V-58497 Medium The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-58493 Medium The operating system must prohibit password reuse for a minimum of five generations.
V-58429 Medium The system must not have the finger service active.
V-58541 Medium End users must not be able to override Gatekeeper settings.
V-58425 Medium The application firewall must be enabled.
V-58427 Medium All public directories must be owned by root or an application account.
V-58421 Medium The root account must be the only account having a UID of 0.
V-58305 Medium The system firewall must be configured with a default-deny policy.
V-58307 Medium The operating system must generate audit records for privileged activities or other system-level access.
V-58301 Medium The NFS lock daemon must be disabled.
V-58303 Medium The NFS stat daemon must be disabled.
V-58385 Medium The SSH daemon ClientAliveCountMax option must be set correctly.
V-58387 Medium The SSH daemon LoginGraceTime must be set correctly.
V-58383 Medium The SSH daemon ClientAliveInterval option must be set correctly.
V-58389 Medium The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-58439 Medium All setuid executables on the system must be vendor-supplied.
V-58433 Medium The prompt for Apple ID and iCloud must be disabled.
V-58431 Medium The sticky bit must be set on all public directories.
V-58435 Medium Users must not have Apple IDs signed into iCloud.
V-58339 Medium The operating system must limit privileges to change software resident within software libraries.
V-58509 Medium The operating system must audit the execution of privileged functions.
V-58331 Medium Audit log folders must have mode 700 or less permissive.
V-58333 Medium Log files must not contain ACLs.
V-58503 Medium ACLs for system log files must be set correctly.
V-58327 Medium The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-58325 Medium The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-58289 Medium The operating system must automatically audit account modification.
V-58323 Medium The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-58321 Medium The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-58285 Medium The operating system must be configured such that emergency administrator accounts are never automatically disabled.
V-58287 Medium The operating system must automatically audit account creation.
V-58281 Medium Automatic actions must be disabled for video DVDs.
V-58283 Medium The operating system must automatically remove or disable temporary user accounts after 72 hours.
V-58329 Medium Audit log files permissions must have mode 440 or less permissive.
V-58449 Medium The system must not send IPv4 ICMP redirects by default.
V-58447 Medium IP forwarding for IPv6 must not be enabled.
V-58445 Medium IP forwarding for IPv4 must not be enabled.
V-58443 Medium The system must ignore IPv4 ICMP redirect messages.
V-58441 Medium The system must not accept source-routed IPv4 packets.
V-58267 Low The Bluetooth software driver must be removed.
V-58477 Low Airdrop must be disabled.
V-58251 Low The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-58423 Low Finder must be set to always empty Trash securely.
V-58309 Low The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-58437 Low iTunes Music Sharing must be disabled.