UCF STIG Viewer Logo

MAC OSX 10.6 Workstation Security Technical Implementation Guide


Overview

Date Finding Count (218)
2013-04-09 CAT I (High): 20 CAT II (Med): 180 CAT III (Low): 18
STIG Description
MAC OSX 10.6 Workstation Security Technical Implementation Guide

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-25304 High Input menu must not be shown in login window.
V-25305 High The system must be configured to not show password hints.
V-25307 High The password-related hint field must not be used.
V-25276 High OSX00180-SSH must not allow empty passwords.
V-25272 High An antivirus tool must be installed.
V-25259 High An Extensible Firmware Interface (EFI) password must be used.
V-25329 High Automatic login must be disabled.
V-24386 High The telnet daemon must not be running.
V-25308 High Automatic actions must be disabled for blank CDs.
V-25309 High Automatic actions must be disabled for music CDs.
V-4688 High The rexec daemon must not be running.
V-922 High All shell files must have mode 0755 or less permissive.
V-25606 High Automatic actions must be disabled for blank DVDs.
V-25557 High Clear text passwords for all LDAPv3 directories must be disabled.
V-25311 High Automatic actions must be disabled for video DVDs.
V-25310 High Automatic actions must be disabled for picture CDs.
V-25265 High Active Directory Access must be securely configured.
V-25262 High sudo usage must be restricted to a single terminal, and for only one sudo instance at a time.
V-25371 High The root account must be disabled.
V-4687 High The rsh daemon must not be running.
V-22404 Medium Kernel core dumps must be disabled unless needed.
V-22387 Medium Cron and crontab directories must not have extended ACLs.
V-12023 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-4370 Medium The traceroute command must be group-owned by wheel.
V-22561 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be group-owned by wheel.
V-22560 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be owned by root.
V-12025 Medium The system must not have any peer-to-peer file-sharing application installed.
V-12024 Medium The system must not have a public Instant Messaging (IM) client installed.
V-22389 Medium The cron.deny file must not have an extended ACL.
V-25380 Medium Access to audit configuration files must be restricted.
V-25306 Medium Fast User Switching must be disabled.
V-25278 Medium The MobileMe preference pane must be removed from System Preferences.
V-25279 Medium The Software Update Server URL must be assigned to an organizational value.
V-25302 Medium Login window must be properly configured.
V-25275 Medium /etc/sshd_config - Protocol version must be securely configured.
V-25270 Medium Local logging must be enabled.
V-25271 Medium Remote logging must be enabled.
V-25273 Medium Prevent root login must be securely configured in /etc/sshd_config.
V-22386 Medium Crontab files must not have extended ACLs.
V-784 Medium System files and directories must not have uneven access permissions.
V-22366 Medium All shell files must not have extended ACLs.
V-22335 Medium The /etc/group file must be owned by root.
V-25269 Medium Security auditing must be configured.
V-22369 Medium All system audit files must not have extended ACLs.
V-813 Medium System audit logs must have mode 640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-22333 Medium The /etc/passwd file must be group-owned by wheel.
V-4090 Medium All system start-up files must be group-owned by root, sys, bin, other, or system.
V-25332 Medium Secure virtual memory must be used.
V-25330 Medium A password must be required to unlock each System Preference Pane.
V-25333 Medium Remote control infrared receiver must be disabled.
V-4385 Medium The system must not use .forward files.
V-25335 Medium Only essential services must be allowed through firewall.
V-25337 Medium Stealth Mode must be enabled on the firewall.
V-25241 Medium Account lockout threshold must be properly configured.
V-25240 Medium Account lockout duration must be properly configured.
V-25339 Medium Screen Sharing must be disabled.
V-25338 Medium DVD or CD Sharing must be disabled.
V-773 Medium The root account must be the only account having a UID of “0”.
V-807 Medium All public directories must be owned by root or an application account.
V-22460 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-22461 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-4089 Medium All system start-up files must be owned by root.
V-4084 Medium The system must prohibit the reuse of passwords to 15 iterations.
V-22497 Medium The /etc/smb.conf file must not have an extended ACL.
V-25254 Medium Audio recording support software must be disabled.
V-25255 Medium Video recording support software must be disabled.
V-25252 Medium Wi-Fi support software must be disabled.
V-25253 Medium Bluetooth support software must be disabled.
V-25200 Medium Administrator accounts must be created with difficult-to-guess names.
V-22459 Medium The SSH daemon must be configured to not use CBC ciphers.
V-25258 Medium Infrared (IR) support must be removed.
V-4394 Medium The /etc/syslog.conf file must be group-owned by wheel.
V-22583 Medium The system's local firewall must implement a deny-all, allow-by-exception policy.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-25324 Medium System Preferences must be securely configured so IPv6 is turned off if not being used.
V-25323 Medium Unused hardware devices must be disabled for Firewire.
V-25320 Medium Unused hardware devices must be disabled for AirPort.
V-25321 Medium Unused hardware devices must be disabled for Bluetooth.
V-22454 Medium The /etc/syslog.conf file must not have an extended ACL.
V-25882 Medium Bonjour must be disabled.
V-22324 Medium The /etc/hosts file must be group-owned by wheel.
V-1028 Medium The /etc/smb.conf file must have mode 0644 or less permissive.
V-22458 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-25349 Medium Xgrid Sharing must be disabled.
V-22326 Medium The /etc/hosts file must not have an extended ACL.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-1027 Medium The /etc/smb.conf file must be owned by root.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22322 Medium The /etc/resolv.conf file must not have an extended ACL.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-22320 Medium The /etc/resolv.conf file must be group-owned by wheel.
V-11981 Medium All global initialization files must have mode 0644 or less permissive.
V-25300 Medium Shared folders must be disabled.
V-25358 Medium iDisk must be removed from Finder sidebar.
V-25351 Medium Bluetooth Sharing must be disabled.
V-25350 Medium Internet Sharing must be disabled.
V-25354 Medium Mail must be configured using SSL.
V-904 Medium All local initialization files must be owned by the user or root.
V-906 Medium All run control scripts must have mode 0755 or less permissive.
V-22352 Medium All files and directories contained in user home directories must not have extended ACLs.
V-22353 Medium Launch control scripts must not have extended ACLs.
V-22351 Medium All files and directories contained in user home directories must be group-owned by a group where the home directory's owner is a member.
V-22314 Medium System command files must not have extended ACLs.
V-22338 Medium The /etc/group file must not have an extended ACL.
V-22334 Medium The /etc/passwd file must not have an extended ACL.
V-22336 Medium The /etc/group file must be group-owned by wheel.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22332 Medium The /etc/passwd file must be owned by root.
V-25230 Medium A minimum password length must be set.
V-22410 Medium The system must not respond to Internet Control Message Protocol (ICMPv4) echoes sent to a broadcast address.
V-25238 Medium Newly created password content must be checked.
V-25348 Medium Remote Apple Events must be disabled.
V-29437 Medium Complex passwords must contain Alphabetic Character.
V-25340 Medium File Sharing must be disabled.
V-25341 Medium Printer Sharing must be disabled.
V-25342 Medium Web Sharing must be disabled.
V-25343 Medium Remote Login must be disabled.
V-25346 Medium Apple Remote Desktop must be disabled.
V-29439 Medium Complex passwords must contain a Symbolic Character.
V-913 Medium There must be no .netrc files on the system.
V-22416 Medium The system must ignore IPv4 ICMP redirect messages.
V-22317 Medium All library files must not have extended ACLs.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-25374 Medium The Operating System must be current and at the latest release level.
V-25377 Medium Default and Emergency Administrator passwords must be changed when necessary.
V-25376 Medium An Emergency Administrator Account must be created.
V-22385 Medium Crontab files must be group-owned by wheel, cron, or the crontab creator's primary group.
V-22384 Medium The cron.allow file must not have an extended ACL.
V-22439 Medium The alias file must not have an extended ACL.
V-22438 Medium The aliases file must be group-owned by wheel.
V-22437 Medium The traceroute file must not have an extended ACL.
V-25204 Medium A maximum password age must be set.
V-25379 Medium Automatic Screen Saver initiation must be enabled when smart card is removed from machine.
V-25378 Medium Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization.
V-25312 Medium System must have a password-protected screen saver configured to DoD requirements.
V-25280 Medium The ability for administrative accounts to unlock screen saver must be disabled.
V-25283 Medium Setuid bit must be removed from Apple Remote Desktop.
V-25268 Medium Security auditing must be enabled.
V-25267 Medium POSIX access permissions must be assigned based on user categories.
V-25264 Medium LDAP Authentication must use authentication when connecting to LDAPv3.
V-22562 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must not have an extended ACL.
V-11983 Medium All global initialization files must be group-owned by wheel.
V-924 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-921 Medium All shell files must be owned by root.
V-25413 Medium Spotlight Panel must be securely configured.
V-25251 Medium All application software must be current.
V-22702 Medium System audit logs must be group-owned by wheel.
V-22428 Medium The services file must not have an extended ACL.
V-22506 Medium The system package management tool must be used to verify system software periodically.
V-22394 Medium The cron.deny file must be group-owned by wheel.
V-22427 Medium The services file must be group-owned by wheel.
V-22391 Medium The cron.allow file must be group-owned by wheel.
V-25292 Medium The setuid bit from Remote Access (unsecure) must be removed.
V-25293 Medium The setuid bit from rlogin must be removed.
V-25291 Medium The setuid bit must be removed from the IPC Statistics.
V-25561 Medium All LDAPv3 packets must be encrypted.
V-25294 Medium The setuid bit from Remote Access shell (unsecure) must be removed.
V-25563 Medium LDAPv3 must block man-in-the-middle attacks.
V-25298 Medium The Auto Update feature must be disabled.
V-25299 Medium The guest account must be disabled.
V-787 Medium System log files must have mode 644 or less permissive.
V-786 Medium All network services daemon files must have mode 0755 or less permissive.
V-785 Medium All files and directories must have a valid owner.
V-22315 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-22312 Medium All files and directories must have a valid group owner.
V-4696 Medium The system must not have the UUCP service active.
V-936 Medium The nosuid option must be enabled on all NFS client mounts.
V-795 Medium All system files, programs, and directories must be owned by a system account.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-4364 Medium The "at" directory must have mode 0755 or less permissive.
V-22559 Medium If the system is using LDAP for authentication or account information the /etc/openldap/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
V-4366 Medium "At" jobs must not set the umask to a value less restrictive than 077.
V-4365 Medium The "at" directory must be owned by root, bin, or sys.
V-25373 Medium Shared User Accounts must be disabled.
V-25187 Medium Unnecessary packages must not be installed.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 ICMP redirects.
V-25317 Medium The ability to use corners to disable the screen saver must be disabled.
V-25328 Medium A password must be required to wake a computer from sleep or screen saver.
V-25559 Medium All LDAPv3 packets must be digitally signed.
V-25295 Medium The setuid bit from System Activity Reporting must be removed.
V-25263 Medium LDAPv3 access must be securely configured (if it is used).
V-25261 Medium Access warning for the command line must be present.
V-25260 Medium Access warning for the login window must be present.
V-823 Medium The services file must be owned by root or bin.
V-25372 Medium Physical security of the system must meet DoD requirements.
V-793 Medium Library files must have mode 0755 or less permissive.
V-794 Medium All system command files must have mode 0755 or less permissive.
V-22313 Medium All network services daemon files must not have extended ACLs.
V-824 Medium The services file must have mode 0644 or less permissive.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-11982 Medium All global initialization files must be owned by root.
V-25318 Medium Bluetooth devices must not be allowed to wake the computer.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-4701 Low The system must not have the finger service active.
V-25274 Low Login Grace Time must be securely configured in /etc/sshd_config.
V-22409 Low The system must not process Internet Control Message Protocol (ICMP) timestamp requests.
V-25331 Low Automatic logout due to inactivity must be disabled.
V-22373 Low System audit tool executables must not have extended ACLs.
V-806 Low The sticky bit must be set on all public directories.
V-22508 Low The file integrity tool must be configured to verify extended attributes.
V-22507 Low The file integrity tool must be configured to verify ACLs.
V-25356 Low Finder must be set to always empty Trash securely.
V-25355 Low iTunes Store must be disabled.
V-22350 Low User home directories must not have extended ACLs.
V-22331 Low For systems using DNS resolution, at least two name servers must be configured.
V-914 Low All files and directories contained in interactive user home directories must be owned by the home directory's owner.
V-25375 Low System Recovery Backup procedures must be configured to comply with DoD requirements.
V-25296 Low The correct date and time must be set.
V-792 Low Manual page files must have mode 0644 or less permissive.
V-25297 Low A secure time server must be referenced.
V-22316 Low All manual page files must not have extended ACLs.