The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58259	AOSX-09-000035	SV-72689r1_rule		High

Description
The 'rexec' service must be disabled. The 'rexec' service does not implement crypto and has had several security vulnerabilities in the past. It is disabled by default; enabling it would increase the attack surface of the system. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP) thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information.

Description

The 'rexec' service must be disabled. The 'rexec' service does not implement crypto and has had several security vulnerabilities in the past. It is disabled by default; enabling it would increase the attack surface of the system. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP) thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information.

STIG	Date
Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide	2017-01-05

Details

Check Text ( C-59083r1_chk )
The service 'rexec' should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c 'print com.apple.rexecd:Disabled' /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't 'true' or doesn't exist, this is a finding.

Fix Text (F-63573r1_fix)
To disable the 'rexec' service, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist 'com.apple.rexecd' -dict Disabled -bool true