Check: AOSX-09-000710
Apple OS X 10.9 Workstation STIG:
AOSX-09-000710
(in version v1 r2)
Title
The system must allow only applications downloaded from the App Store to run. (Cat II impact)
Discussion
Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store or applications signed with a valid Apple Developer ID code. Administrator users will still have the option to override these settings on a per app basis. Gatekeeper is a security feature that ensures that applications must be digitally signed by an Apple issued certificate in order to run. Digital signatures allow Mac OS X to verify that the application has not been modified by a malicious third party.
Check Content
To check to make sure only applications downloaded from the App Store are allowed to run, type the following code: system_profiler SPConfigurationProfileDataType | grep AllowIdentifiedDevelopers If 'AllowIdentifiedDevelopers' is not set to '1', this is a finding.
Fix Text
This setting is enforced using a configuration profile.
Additional Identifiers
Rule ID: SV-72809r1_rule
Vulnerability ID: V-58379
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
Number | Title |
---|---|
CM-5 (3) |
Signed Components |