UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MAC OSX 10.6 Workstation Security Technical Implementation Guide Draft


Overview

Date Finding Count (218)
2013-01-10 CAT I (High): 20 CAT II (Med): 180 CAT III (Low): 18
STIG Description
MAC OSX 10.6 Workstation Security Technical Implementation Guide Draft

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-25304 High Input menu must not be shown in login window.
V-25305 High The system must be configured to not show password hints.
V-25307 High The password-related hint field must not be used.
V-25276 High OSX00180-SSH must not allow empty passwords.
V-25272 High An antivirus tool must be installed.
V-25259 High An Extensible Firmware Interface (EFI) password must be used.
V-25329 High Automatic login must be disabled.
V-24386 High The telnet daemon must not be running.
V-25308 High Automatic actions must be disabled for blank CDs.
V-25309 High Automatic actions must be disabled for music CDs.
V-4688 High The rexec daemon must not be running.
V-922 High All shell files must have mode 0755 or less permissive.
V-25606 High Automatic actions must be disabled for blank DVDs.
V-25557 High Clear text passwords for all LDAPv3 directories must be disabled.
V-25311 High Automatic actions must be disabled for video DVDs.
V-25310 High Automatic actions must be disabled for picture CDs.
V-25265 High Active Directory Access must be securely configured.
V-25262 High sudo usage must be restricted to a single terminal, and for only one sudo instance at a time.
V-25371 High The root account must be disabled.
V-4687 High The rsh daemon must not be running.
V-22404 Medium Kernel core dumps must be disabled unless needed.
V-22387 Medium Cron and crontab directories must not have extended ACLs.
V-12023 Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
V-4371 Medium The traceroute file must have mode 0700 or less permissive.
V-4370 Medium The traceroute command must be group-owned by wheel.
V-22561 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be group-owned by wheel.
V-22560 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must be owned by root.
V-12025 Medium The system must not have any peer-to-peer file-sharing application installed.
V-12024 Medium The system must not have a public Instant Messaging (IM) client installed.
V-22389 Medium The cron.deny file must not have an extended ACL.
V-25380 Medium Access to audit configuration files must be restricted.
V-25306 Medium Fast User Switching must be disabled.
V-25278 Medium The MobileMe preference pane must be removed from System Preferences.
V-25279 Medium The Software Update Server URL must be assigned to an organizational value.
V-25302 Medium Login window must be properly configured.
V-25275 Medium /etc/sshd_config - Protocol version must be securely configured.
V-25270 Medium Local logging must be enabled.
V-25271 Medium Remote logging must be enabled.
V-25273 Medium Prevent root login must be securely configured in /etc/sshd_config.
V-22386 Medium Crontab files must not have extended ACLs.
V-784 Medium System files and directories must not have uneven access permissions.
V-22366 Medium All shell files must not have extended ACLs.
V-22335 Medium The /etc/group file must be owned by root.
V-25269 Medium Security auditing must be configured.
V-22369 Medium All system audit files must not have extended ACLs.
V-813 Medium System audit logs must have mode 640 or less permissive.
V-812 Medium System audit logs must be owned by root.
V-22333 Medium The /etc/passwd file must be group-owned by wheel.
V-4090 Medium All system start-up files must be group-owned by root, sys, bin, other, or system.
V-25332 Medium Secure virtual memory must be used.
V-25330 Medium A password must be required to unlock each System Preference Pane.
V-25333 Medium Remote control infrared receiver must be disabled.
V-4385 Medium The system must not use .forward files.
V-25335 Medium Only essential services must be allowed through firewall.
V-25337 Medium Stealth Mode must be enabled on the firewall.
V-25241 Medium Account lockout threshold must be properly configured.
V-25240 Medium Account lockout duration must be properly configured.
V-25339 Medium Screen Sharing must be disabled.
V-25338 Medium DVD or CD Sharing must be disabled.
V-773 Medium The root account must be the only account having a UID of “0”.
V-807 Medium All public directories must be owned by root or an application account.
V-22460 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-22461 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-22462 Medium The SSH client must be configured to not use CBC-based ciphers.
V-22463 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-4089 Medium All system start-up files must be owned by root.
V-4084 Medium The system must prohibit the reuse of passwords to 15 iterations.
V-22497 Medium The /etc/smb.conf file must not have an extended ACL.
V-25254 Medium Audio recording support software must be disabled.
V-25255 Medium Video recording support software must be disabled.
V-25252 Medium Wi-Fi support software must be disabled.
V-25253 Medium Bluetooth support software must be disabled.
V-25200 Medium Administrator accounts must be created with difficult-to-guess names.
V-22459 Medium The SSH daemon must be configured to not use CBC ciphers.
V-25258 Medium Infrared (IR) support must be removed.
V-4394 Medium The /etc/syslog.conf file must be group-owned by wheel.
V-22583 Medium The system's local firewall must implement a deny-all, allow-by-exception policy.
V-4393 Medium The /etc/syslog.conf file must be owned by root.
V-25324 Medium System Preferences must be securely configured so IPv6 is turned off if not being used.
V-25323 Medium Unused hardware devices must be disabled for Firewire.
V-25320 Medium Unused hardware devices must be disabled for AirPort.
V-25321 Medium Unused hardware devices must be disabled for Bluetooth.
V-22454 Medium The /etc/syslog.conf file must not have an extended ACL.
V-25882 Medium Bonjour must be disabled.
V-22324 Medium The /etc/hosts file must be group-owned by wheel.
V-1028 Medium The /etc/smb.conf file must have mode 0644 or less permissive.
V-22458 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-25349 Medium Xgrid Sharing must be disabled.
V-22326 Medium The /etc/hosts file must not have an extended ACL.
V-22325 Medium The /etc/hosts file must have mode 0644 or less permissive.
V-1027 Medium The /etc/smb.conf file must be owned by root.
V-22323 Medium The /etc/hosts file must be owned by root.
V-22322 Medium The /etc/resolv.conf file must not have an extended ACL.
V-22321 Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
V-22320 Medium The /etc/resolv.conf file must be group-owned by wheel.
V-11981 Medium All global initialization files must have mode 0644 or less permissive.
V-25300 Medium Shared folders must be disabled.
V-25358 Medium iDisk must be removed from Finder sidebar.
V-25351 Medium Bluetooth Sharing must be disabled.
V-25350 Medium Internet Sharing must be disabled.
V-25354 Medium Mail must be configured using SSL.
V-904 Medium All local initialization files must be owned by the user or root.
V-906 Medium All run control scripts must have mode 0755 or less permissive.
V-22352 Medium All files and directories contained in user home directories must not have extended ACLs.
V-22353 Medium Launch control scripts must not have extended ACLs.
V-22351 Medium All files and directories contained in user home directories must be group-owned by a group where the home directory's owner is a member.
V-22314 Medium System command files must not have extended ACLs.
V-22338 Medium The /etc/group file must not have an extended ACL.
V-22334 Medium The /etc/passwd file must not have an extended ACL.
V-22336 Medium The /etc/group file must be group-owned by wheel.
V-22337 Medium The /etc/group file must have mode 0644 or less permissive.
V-22332 Medium The /etc/passwd file must be owned by root.
V-25230 Medium A minimum password length must be set.
V-22410 Medium The system must not respond to Internet Control Message Protocol (ICMPv4) echoes sent to a broadcast address.
V-25238 Medium Newly created password content must be checked.
V-25348 Medium Remote Apple Events must be disabled.
V-29437 Medium Complex passwords must contain Alphabetic Character.
V-25340 Medium File Sharing must be disabled.
V-25341 Medium Printer Sharing must be disabled.
V-25342 Medium Web Sharing must be disabled.
V-25343 Medium Remote Login must be disabled.
V-25346 Medium Apple Remote Desktop must be disabled.
V-29439 Medium Complex passwords must contain a Symbolic Character.
V-913 Medium There must be no .netrc files on the system.
V-22416 Medium The system must ignore IPv4 ICMP redirect messages.
V-22317 Medium All library files must not have extended ACLs.
V-796 Medium System files, programs, and directories must be group-owned by a system group.
V-25374 Medium The Operating System must be current and at the latest release level.
V-25377 Medium Default and Emergency Administrator passwords must be changed when necessary.
V-25376 Medium An Emergency Administrator Account must be created.
V-22385 Medium Crontab files must be group-owned by wheel, cron, or the crontab creator's primary group.
V-22384 Medium The cron.allow file must not have an extended ACL.
V-22439 Medium The alias file must not have an extended ACL.
V-22438 Medium The aliases file must be group-owned by wheel.
V-22437 Medium The traceroute file must not have an extended ACL.
V-25204 Medium A maximum password age must be set.
V-25379 Medium Automatic Screen Saver initiation must be enabled when smart card is removed from machine.
V-25378 Medium Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization.
V-25312 Medium System must have a password-protected screen saver configured to DoD requirements.
V-25280 Medium The ability for administrative accounts to unlock screen saver must be disabled.
V-25283 Medium Setuid bit must be removed from Apple Remote Desktop.
V-25268 Medium Security auditing must be enabled.
V-25267 Medium POSIX access permissions must be assigned based on user categories.
V-25264 Medium LDAP Authentication must use authentication when connecting to LDAPv3.
V-22562 Medium If the system is using LDAP for authentication or account information, the /etc/openldap/ldap.conf (or equivalent) file must not have an extended ACL.
V-11983 Medium All global initialization files must be group-owned by wheel.
V-924 Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
V-921 Medium All shell files must be owned by root.
V-25413 Medium Spotlight Panel must be securely configured.
V-25251 Medium All application software must be current.
V-22702 Medium System audit logs must be group-owned by wheel.
V-22428 Medium The services file must not have an extended ACL.
V-22506 Medium The system package management tool must be used to verify system software periodically.
V-22394 Medium The cron.deny file must be group-owned by wheel.
V-22427 Medium The services file must be group-owned by wheel.
V-22391 Medium The cron.allow file must be group-owned by wheel.
V-25292 Medium The setuid bit from Remote Access (unsecure) must be removed.
V-25293 Medium The setuid bit from rlogin must be removed.
V-25291 Medium The setuid bit must be removed from the IPC Statistics.
V-25561 Medium All LDAPv3 packets must be encrypted.
V-25294 Medium The setuid bit from Remote Access shell (unsecure) must be removed.
V-25563 Medium LDAPv3 must block man-in-the-middle attacks.
V-25298 Medium The Auto Update feature must be disabled.
V-25299 Medium The guest account must be disabled.
V-787 Medium System log files must have mode 644 or less permissive.
V-786 Medium All network services daemon files must have mode 0755 or less permissive.
V-785 Medium All files and directories must have a valid owner.
V-22315 Medium System log files must not have extended ACLs, except as needed to support authorized software.
V-22312 Medium All files and directories must have a valid group owner.
V-4696 Medium The system must not have the UUCP service active.
V-936 Medium The nosuid option must be enabled on all NFS client mounts.
V-795 Medium All system files, programs, and directories must be owned by a system account.
V-4368 Medium The at.deny file must be owned by root, bin, or sys.
V-4369 Medium The traceroute command owner must be root.
V-4364 Medium The "at" directory must have mode 0755 or less permissive.
V-22559 Medium If the system is using LDAP for authentication or account information the /etc/openldap/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
V-4366 Medium "At" jobs must not set the umask to a value less restrictive than 077.
V-4365 Medium The "at" directory must be owned by root, bin, or sys.
V-25373 Medium Shared User Accounts must be disabled.
V-25187 Medium Unnecessary packages must not be installed.
V-22413 Medium The system must prevent local applications from generating source-routed packets.
V-22414 Medium The system must not accept source-routed IPv4 packets.
V-22417 Medium The system must not send IPv4 ICMP redirects.
V-25317 Medium The ability to use corners to disable the screen saver must be disabled.
V-25328 Medium A password must be required to wake a computer from sleep or screen saver.
V-25559 Medium All LDAPv3 packets must be digitally signed.
V-25295 Medium The setuid bit from System Activity Reporting must be removed.
V-25263 Medium LDAPv3 access must be securely configured (if it is used).
V-25261 Medium Access warning for the command line must be present.
V-25260 Medium Access warning for the login window must be present.
V-823 Medium The services file must be owned by root or bin.
V-25372 Medium Physical security of the system must meet DoD requirements.
V-793 Medium Library files must have mode 0755 or less permissive.
V-794 Medium All system command files must have mode 0755 or less permissive.
V-22313 Medium All network services daemon files must not have extended ACLs.
V-824 Medium The services file must have mode 0644 or less permissive.
V-798 Medium The /etc/passwd file must have mode 0644 or less permissive.
V-11982 Medium All global initialization files must be owned by root.
V-25318 Medium Bluetooth devices must not be allowed to wake the computer.
V-22319 Medium The /etc/resolv.conf file must be owned by root.
V-4701 Low The system must not have the finger service active.
V-25274 Low Login Grace Time must be securely configured in /etc/sshd_config.
V-22409 Low The system must not process Internet Control Message Protocol (ICMP) timestamp requests.
V-25331 Low Automatic logout due to inactivity must be disabled.
V-22373 Low System audit tool executables must not have extended ACLs.
V-806 Low The sticky bit must be set on all public directories.
V-22508 Low The file integrity tool must be configured to verify extended attributes.
V-22507 Low The file integrity tool must be configured to verify ACLs.
V-25356 Low Finder must be set to always empty Trash securely.
V-25355 Low iTunes Store must be disabled.
V-22350 Low User home directories must not have extended ACLs.
V-22331 Low For systems using DNS resolution, at least two name servers must be configured.
V-914 Low All files and directories contained in interactive user home directories must be owned by the home directory's owner.
V-25375 Low System Recovery Backup procedures must be configured to comply with DoD requirements.
V-25296 Low The correct date and time must be set.
V-792 Low Manual page files must have mode 0644 or less permissive.
V-25297 Low A secure time server must be referenced.
V-22316 Low All manual page files must not have extended ACLs.