Apple OSX 10.8 STIG
Apple OS X 10.8 (Mountain Lion) Workstation STIG. Version v1 r2, released April 24, 2015.
OSX8-00-01120: The sticky bit must be set on all public directories.
Run the following command to view all world-writable directories that do not have the sticky bit set: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) If anything is returned, this is a finding.
Discussion
The sticky bit must be set on all public directories.
Fix
Run the following command to set the sticky bit on all world-writable directories: sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec chmod +t {} \;
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00245: The flags option must be set in /etc/security/audit_control.
The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.
Discussion
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).
Fix
To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00531: Find My Mac must be disabled.
To check if Find My Mac is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Find My Mac must be disabled.
Fix
To disable Find My Mac, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00185: The operating system must display the DoD-approved system use notification message or banner before granting access to the system.
The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document MUST read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the text is not exactly worded this way, this is a finder.
Discussion
The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system. This ensures all the legal requirements are met as far as auditing and monitoring are concerned.
Fix
Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security/
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01040: The system must not use .forward files.
To check if the system contains any ".forward" files, run the following command: find / -name .forward -print If anything is returned, this is a finding.
Discussion
The system must not use .forward files.
Fix
To remove any ".forward" files from the system, run the following command: find / -name .forward -exec rm {} \;
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00725: The FIPS administrative and cryptographic modules must be installed correctly.
Run the following command to ensure the correct FIPS administrative and cryptographic modules are installed correctly: sudo codesign -dvvv /usr/libexec/cc_fips_test 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "bdef561bd742ae2e28589ca3ed44f188530d6910". If it differs, this is a finding.
Discussion
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Fix
Download and install the Apple FIPS Cryptographic Module v3.0 from http://support.apple.com/kb/DL1555
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00560: The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives.
To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.
Discussion
Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.
Fix
To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00095: Automatic actions must be disabled for music CDs.
To check if the system has the correct setting for music CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a music CD" should be set to "Ignore", if it is not, this is a finding.
Discussion
Automatic actions must be disabled for music CDs.
Fix
Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a music CD" to "Ignore".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00115: The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.
If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.
Discussion
When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.
Fix
To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00750: The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
To view a list of installed certificates, run the following command: sudo security -dump-keychain | grep labl | awk -F\" '{ print $4 }' If this list does not contain approved certificates, this is a finding.
Discussion
For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.
Fix
Obtain the approved DOD certificates from the appropriate authority. Use Keychain Access from /Applications/Utilities to add certificates to the System keychain.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00590: The operating system must enforce minimum password length.
To check the currently applied policies for password and accounts, use the following command: sudo system_profiler SPConfigurationProfileDataType | grep minLength The parameter minLength should be "15". If it is less than "15", this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Fix
To set the policy to force the length of a password, a configuration profile must be created and applied to the workstation.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01075: Finder must be set to always empty Trash securely.
To check that the finder will only present the option to securely empty trash run the following command as the primary user: system_profiler SPConfigurationProfileDataType | grep EmptyTrashSecurely | awk '{ print $3 }' | sed 's/;//' If the result does not return a setting, or the setting is not "1", this is a finding.
Discussion
Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.
Fix
This should be enforced by a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00785: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.
Discussion
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system.
Fix
Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00945: The SSH daemon LoginGraceTime must be set correctly.
To check the amount of time that a user can login through SSH, run the following command: grep LoginGraceTime /etc/sshd_config If the value is not set to "30" or less, this is a finding.
Discussion
LoginGraceTime must be securely configured in /etc/sshd_config.
Fix
In order to make sure that LoginGraceTime is configured correctly, run the following command: sudo sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/sshd_config
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00575: The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2" this is a finding.
Discussion
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.
Fix
In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00125: The operating system must automatically audit account modification.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.
Discussion
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of user accounts and, as required, notifies appropriate individuals.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00050: The rsh service must be disabled.
The "rshd" service should be disabled. To check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/shell Disabled If the result is not "1", this is a finding.
Discussion
Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities. Based on that assessment some may be deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
Fix
To set the "rshd" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/shell Disabled 1
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00380: The operating system must protect audit tools from unauthorized access.
The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is imperative that access to audit tools be controlled and protected from unauthorized access.
Fix
To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00005: The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
To view the currently selected screen saver for the logged in user, run the following command: system_profiler SPConfigurationProfileDataType | grep moduleName If there is no result or defined moduleName, this is a finding.
Discussion
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00445: The operating system must employ automated mechanisms to centrally manage configuration settings.
To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.
Discussion
Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Rather than visiting each system when making configuration changes, organizations must employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Fix
Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01130: Users must not have Apple IDs signed into iCloud.
To see if any user account has configured an Apple ID for iCloud usage, run the following command: sudo find /Users/ -name "MobileMeAccounts.plist" -exec defaults read '{}' \; If the results show any accounts listed, this is a finding.
Discussion
Users should not have Apple ID's signed into iCloud.
Fix
This must be manually resolved. With the affected user logged in, open System Preferences->iCloud. Choose "Sign Out".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00144: The racoon daemon must be disabled.
To check if racoon is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.racoon:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. The IKE service, racoon, should be disabled.
Fix
To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.racoon" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01175: The centralized process core dump data directory must be owned by root.
To check the ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the owner is not "root", this is a finding.
Discussion
The centralized process core dump data directory must be owned by root.
Fix
To change the ownership to "root", run the following command: sudo chown root /Library/Logs/DiagnosticReports/
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00618: The CRLStyle option must be set correctly.
To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.
Discussion
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00815: System log files must be owned by root:wheel.
This command checks for log files that exist on the system and prints out the log with corresponding ownership.. stat -f "%Su:%Sg:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null If there are any log files that are not owned by root and group-owned by wheel or admin, this is a finding.
Discussion
If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.
Fix
For any log file that returns an incorrect permission value, run the following command: chown root:wheel [log file] where [log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01115: The system must not have the finger service active.
To check if the finger service has been disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.fingerd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
The system must not have the finger service active.
Fix
To ensure that the finger service is disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.fingerd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01215: The system must prevent local applications from generating source-routed packets.
To check if the system is configured to generate source-routed packets, run the following command: sysctl net.inet.ip.sourceroute | awk '{ print $NF }' If the value is not set to "1", this is a finding.
Discussion
The system must prevent local applications from generating source-routed packets.
Fix
To disable source routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.sourceroute=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00570: The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
To check which protocol is configured for sshd, run the following: grep ^Protocol /etc/sshd_config | awk '{ print $2 }' If there is no result or the result is not "2", this is a finding.
Discussion
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.
Fix
In order to make sure that "Protocol 2" is used by sshd, run the following command: sudo sed -i.bak 's/.*Protocol.*/Protocol 2/' /etc/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00100: Automatic actions must be disabled for picture CDs.
To check if the system has the correct setting for picture CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a picture CD" should be set to "Ignore", if it is not, this is a finding.
Discussion
Automatic actions must be disabled for picture CDs.
Fix
Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a picture CD" to "Ignore".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00550: The system must not have the UUCP service active.
To check if UUCP is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.uucp:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
The system must not have the UUCP service active.
Fix
To disable UUCP, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.uucp" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00010: The operating system must initiate a session lock after the organization-defined time period of inactivity.
To check if the system has a configuration profile configured to enable the screen saver after a time-out period, run the following command: system_profiler SPConfigurationProfileDataType | grep idleTime | awk '{ print $3 }' | sed 's/;//' The check should return a value of "900" or less, if not, this is a finding.
Discussion
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of the absence. The organization defines the period of inactivity to pass before a session lock is initiated, so this must be configurable.
Fix
This setting is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00455: The operating system must employ automated mechanisms to centrally verify configuration settings.
To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.
Discussion
Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when verifying configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Fix
Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01235: Unused network devices must be disabled.
To list the network devices that are enabled on the system, run the following command: sudo networksetup -listallnetworkservices If any service is listed that is not being used, it must be disabled.
Discussion
Unused network devices must be disabled.
Fix
To disable a network service, run the following command: sudo networksetup -setnetworkserviceenabled <networkservice> off
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01165: Unnecessary packages must not be installed.
To view a list of packages and applications installed on the system, run the following command: sudo pkgutil / --pkgs If any of the packages listed are not required for proper operation of the system, this is a finding.
Discussion
Unnecessary packages must not be installed.
Fix
If there are any unnecessary packages installed on the system, verify any dependencies and remove those not required.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00862: The usbmuxd daemon must be disabled.
To check the status of the usbmuxd daemon, run the following command: sudo launchctl list | grep usbmuxd If there is any output, this is a finding.
Discussion
Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices.
Fix
To disable the usbmuxd daemon, run the following command: sudo launchtctl unload -w /System/Library/LaunchDaemons/com.apple.usbmuxd.plist
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00085: Automatic actions must be disabled for blank CDs.
To check if the system has the correct setting for blank CDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.cd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.
Discussion
Automatic actions must be disabled for blank CDs.
Fix
This setting must be configured using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00845: The FireWire protocol driver must be removed or disabled.
This command checks for the presence of the FireWire protocol kext (driver). This is the primary driver for FireWire communication and, if removed, will disable the ability to communicate with FireWire devices. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.
Discussion
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Fix
To remove the driver for FireWire, run the following command: sudo rm -Rf /System/Library/Extensions/IOFireWireSerialBusProtocolTransport.kext This should be enforced by a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00810: DoD proxies must be configured on all active network interfaces.
To show the proxy configuration for the Ethernet interface, run the following command: networksetup -getautoproxyurl Ethernet replace "Ethernet" with the plain English name of the network interface you need to verify. If there is no proxy defined, or enabled is set to "No", this is a finding. This command: networksetup -listallnetworkservices will list the plain English names of all configured network interfaces on the computer.
Discussion
A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to; the proxy server is in the middle handling both sides of the session.
Fix
Ensure that DoD proxies are configured on all active network interfaces listed from the command: networksetup -listallnetworkservices
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00711: End users must not be able to override Gatekeeper settings.
To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.
Discussion
Gatekeeper settings must be configured correctly.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00435: The operating system must limit privileges to change software resident within software libraries (including privileged programs).
To check the permissions and ownership of the system files and make sure they haven't changed from the original installation, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.
Discussion
When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix
To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00225: The audit log files must not contain ACLs.
To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any file contains this information, this is a finding.
Discussion
The audit log files should not contain ACLs.
Fix
For any log file that returns an ACL, run the following command: chmod -N [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01105: Kernel core dumps must be disabled unless needed.
To check if kernel core dumps are enabled, run the following command: sudo sysctl kern.coredump | awk '{ print $NF }' If the value is not "0", this is a finding.
Discussion
Kernel core dumps must be disabled unless needed.
Fix
Edit the /etc/sysctl.conf file to include the following line: kern.coredump=0
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01205: IP forwarding for IPv4 must not be enabled, unless the system is a router.
To check if IP forwarding is enabled, run the following command: sysctl net.inet.ip.forwarding | awk '{ print $NF }' If the value is not "0", this is a finding.
Discussion
IP forwarding for IPv4 must not be enabled, unless the system is a router.
Fix
To configure the system to disable IPv4 forwarding, add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=0
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00300: The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep expire-after /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.
Discussion
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Care must be taken to evaluate that the audit records being produced do not exceed the storage capacity.
Fix
To set the auditing daemon to expire logs after "10 GB" of space in the audit_control configuration file, run the following command: sudo sed -i.bak 's/.*expire-after.*/expire-after:10G/' /etc/security/audit_control; sudo audit -s
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01020: The default global umask setting must be changed for system processes.
To view the umask setting, run the following command: umask If the setting is not "022", this is a finding.
Discussion
The default global umask setting must be configured correctly for system processes.
Fix
To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 022' > /etc/launchd.conf"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00155: The system firewall must be configured with a default-deny policy.
Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, and configured with a default deny policy, this is a finding.
Discussion
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path.
Fix
Install an approved HBSS or firewall solution onto the system.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00215: The audit log folder must be owned by root:wheel.
To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory. With the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.
Discussion
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Fix
If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01045: Active Directory Access must be securely configured to sign all packets.
To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet Signing option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.
Discussion
Active Directory Access must be securely configured to sign all packets.
Fix
To set the Active Directory configuration to require signing of packets, run the following command: sudo dsconfigad -packetsign require
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00345: Audit log files must not contain ACLs.
To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.
Discussion
Audit log files should not contain ACLs.
Fix
For any log file that returns an ACL, run the following command: sudo chmod -N [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-02060: The system must be integrated into a directory services infrastructure.
Ask the SA or IAO if the system is integrated into a directory services infrastructure, such as Active Directory. If the system is not integrated into a directory service infrastructure, this is a finding. Mitigation: If there is no directory services infrastructure available, reduce severity to CAT III.
Discussion
Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active Directory, allow centralized management of users and passwords.
Fix
Integrate the system into an existing directory services infrastructure, such as Active Directory.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01080: The application firewall must be enabled.
To check if the OS X firewall has been enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate If the result is not enabled, this is a finding.
Discussion
The application firewall must be enabled.
Fix
To enable the firewall run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01095: The ability to use corners to disable the screen saver must be disabled.
To check if any of the hot corners are configured to disable the screen saver run the following command for the logged in user: system_profiler SPConfigurationProfileDataType | grep wvous There should be 4 results (wvous-bl-corner, wvous-br-corner, wvous-tl-corner, wvous-tr-corner). If any of them are not defined to be "1", this is a finding.
Discussion
The ability to use corners to disable the screen saver must be disabled.
Fix
Open up System Preferences->Desktop&Screen Saver, and open Hot Corners. Make sure none of the corners are defined to "Disable Screen Saver". This can be enforced using a configuration profile or managed preferences.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00690: The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted.
Fix
To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00325: The system must be configured to set the time automatically from a network time server.
To check the setting for using a network time server, run the following command: systemsetup -getusingnetworktime | grep On If this is set to "off" this is a finding.
Discussion
The system must be configured to set the time automatically from a network time server.
Fix
To enable the system to use a network time server, run the following: sudo systemsetup -setusingnetworktime on
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00965: Bluetooth Sharing must be disabled.
To check if Bluetooth Sharing is enabled, Open up System Preferences->Sharing and verify that "Bluetooth Sharing" is not checked "ON". If it is "ON", this is a finding.
Discussion
Bluetooth Sharing must be disabled.
Fix
To disable Bluetooth Sharing, open System Preferences->Sharing and uncheck the box next to Bluetooth Sharing.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00295: The operating system must allocate audit record storage capacity.
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.
Discussion
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. It is imperative the operating system configured, allocate storage capacity to contain audit records.
Fix
Edit the /etc/security/audit_control file, and change the value for "minfree" to the percentage of free space you require to keep available for the system. You can use the following command to set the "minfree" value to "10%": sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00135: The operating system must automatically audit account termination.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.
Discussion
Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The operating system must audit and notify, as required, to mitigate the Denial of Service risk.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00350: Audit Log files must have the correct permissions.
Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions to be "440" or less permissive. If not, this is a finding.
Discussion
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Fix
For any log file that returns an incorrect permission value, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01170: The operating system must enforce requirements for remote connections to the information system.
To check if screen sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.screensharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Screen Sharing must be disabled.
Fix
To disable screen sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.screensharing" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00370: The audit log folder must have the correct permissions.
To check the permissions of the audit log files, run the following command: stat -f "%A:%N" `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.
Discussion
The audit log folder should have correct permissions.
Fix
If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 /var/audit
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00555: The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives.
To check and see if automatic backups for the built in "Time Machine" function of OS are enabled, run the following command: sudo defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup If the result is a "0", then automatic backups are disabled. Although OS X does include Time Machine as a backup facility, please check with the organization's System Administrators for defined policies and procedures for workstation backups.
Discussion
Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.
Fix
To enable the automatic backups using Time Machine, run the following command: sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00415: The auditing tool, auditd, must be the one provided by Apple, Inc.
Run the following command to ensure the audit tool, auditd has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditd 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "abad487143d9bb99e06d945f69f8fab6e49460f1". If it differs, this is a finding.
Discussion
The auditing tool, auditd, should be the one provided by Apple, Inc.
Fix
If the check fails, you will need to obtain the correct files from the original 10.8 installation media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00850: The USB mass storage driver must be removed or disabled.
This command checks for the presence of the USB mass storage kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/IOUSBMassStorageClass.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.
Discussion
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Fix
To remove the USB mass storage kext, run the following command: sudo rm -Rf /System/Library/Extensions/IOUSBMassStorageClass.kext This should be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00105: Automatic actions must be disabled for video DVDs.
To check if the system has the correct setting for picture CDs open up System Preferences, CDs & DVDs. The setting for "When you insert a video DVD" should be set to "Ignore", if it is not, this is a finding.
Discussion
Automatic actions must be disabled for video DVDs.
Fix
Open up System Preferences, CDs & DVDs. Change the setting for "When you insert a video DVD" to "Ignore".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00875: The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
Ask the SA or IAO if a host-based security system is loaded on the system. The recommended system is the McAfee HBSS. If there is no HBSS installed on the system, this is a finding.
Discussion
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Automated alarming mechanisms provide the appropriate personnel with the capability to immediately respond and react to events categorized as unusual or having security implications that could be detrimental to system and/or organizational security.
Fix
If they system does not have the HBSS package installed, contact the HBSS administrator to obtain installer package for the software.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00860: The iPod Driver must be removed.
This command checks for the presence of the iPod Driver kext (driver). If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/iPodDriver
Discussion
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Fix
To remove the iPod Driver kext, run the following command: sudo rm -Rf /System/Library/Extensions/iPodDriver.kext
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00065: The Bluetooth protocol driver must be removed.
To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.
Discussion
Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can be accessed. The organization will define the requirements for connection of mobile devices. In order to ensure that the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.
Fix
Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00220: The audit log folder must have correct permissions.
To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'` The results should show the permissions (first column) to be "700" or less permissive. If not, this is a finding.
Discussion
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Fix
If the permissions on the audit log file are incorrect, run the following command: sudo chmod 700 `grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01010: All files and directories contained in interactive user home directories must be owned by the home directorys owner.
To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not owned by the user, this is a finding.
Discussion
All files and directories contained in interactive user home directories must be owned by the home directory's owner.
Fix
To change the ownership of the files and directories to the owner of the home directory, run the following command: sudo chown -R username /Users/username
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00705: A configuration profile must exist to restrict launching of applications.
To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.
Discussion
The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.
Fix
A configuration profile should exist to restrict launching of applications.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00400: The auditing tool, praudit, must be the one provided by Apple, Inc.
Run the following command to ensure the audit tool, praudit, has the correct signed hash value: sudo codesign -dvvv /usr/sbin/praudit 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "7972f0ead62fd6610d4453f842f9e22b5dc14732". If it differs, this is a finding.
Discussion
Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Cryptographic mechanisms must be used to protect the integrity of the audit tools used for audit reduction and reporting. The auditing tool, praudit, should be the one provided by Apple, Inc.
Fix
If the check fails, you will need to obtain the correct files from the original 10.8 installation media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01220: The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
To check if the system is configured to process ICMP timestamp requests, run the following command: sysctl net.inet.icmp.timestamp | awk '{ print $NF }' If the value is not set to "1", this is a finding.
Discussion
The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
Fix
To disable ICMP timestamp responses, add the following line to /etc/sysctl.conf: net.inet.icmp.timestamp=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00470: The application Chess must be removed.
To check for the existence of Chess, run the following command: ls -ald /Applications/Chess.app If anything is returned, this is a finding.
Discussion
The application Chess must be removed.
Fix
To remove Chess, run the following command: sudo rm -Rf /Applications/Chess.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-02055: All users must use PKI authentication for login and privileged access.
Ask the SA or IAO if an approved PKI authentication solution is implemented on the system for user logins and privileged access. If a non-emergency account can log into the system or gain privileged access without a smart card, this is a finding.
Discussion
Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emergency access to a system for maintenance is acceptable, however.)
Fix
Implement PKI authentication using approved third-party PKI tools, to integrate with an existing directory services infrastructure or local password database, where no directory services infrastructure exists.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00720: The SSH daemon ClientAliveCountMax option must be set correctly.
To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command: grep ClientAliveCountMax /etc/sshd_config If the setting is commented out, or not "ClientAliveCountMax 0", this is a finding.
Discussion
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
Fix
In order to make sure that the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, run the following command: sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config .
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00355: Audit log files must be owned by root:wheel.
Prevent unauthorized users from reading or altering the audit logs. To check the permissions of the audit log files, run the following command: sudo -s ls -l `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The audit log files listed should be owned by root:wheel. If not, this is a finding.
Discussion
Audit log files should be owned by root:wheel.
Fix
For any log file that returns an incorrect permission value, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00565: The SSH PermitRootLogin option must be set correctly.
To check if SSH has root logins enabled, run the following command: sudo grep ^PermitRootLogin /etc/sshd_config | awk '{ print $2 }' If there is no result, or the result is set to "yes", this is a finding.
Discussion
To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as, adding an additional level of protection of the actions that can be taken with group account knowledge.
Fix
In order to make sure that PermitRootLogin is disabled by the sshd, run the following command: sudo sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00110: The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.
If a temporary user has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.
Discussion
When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.
Fix
To set an expiration date for a temporary account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00230: The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
To see if the audit daemon is loaded, run the following command: sudo launchctl list | grep -i com.apple.auditd The result returned should be " - 0 com.apple.auditd". If this is not running, this is a finding.
Discussion
Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). The events that occur must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. The operating system must be able to have audit events correlated to the level of tolerance determined by the organization.
Fix
Configuration of startup processes is done via configuration files for each process or daemon. Make sure the file /System/Library/LaunchDaemons/com.apple.auditd.plist exists. If not, you may need to obtain a copy from the original installation media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00935: The ability for administrative accounts to unlock Screen Saver must be disabled.
To check the setting for authentication to unlock the screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "print :rights:system.login.screensaver:rule" /etc/authorization If the result is not "authenticate-session-owner" this is a finding.
Discussion
The ability for administrative accounts to unlock Screen Saver must be disabled.
Fix
To disable the ability for an administrator to unlock a screen saver, run the following command: sudo /usr/libexec/PlistBuddy -c "set :rights:system.login.screensaver:rule authenticate-session-owner" /etc/authorization
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01030: Newsyslog must be correctly configured to rotate log files.
To view the settings for the log file rotation, run the following command: sudo grep -v "^#" /etc/newsyslog.conf The third column is the number of files to keep in rotation. If this is not set to the correct value for the organization, this is a finding.
Discussion
Newsyslog needs to be correctly configured to rotate log files.
Fix
Edit the /etc/newsyslog.conf file to configure the correct values.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00490: The application Messages must be removed.
To check for the existence of Messages, run the following command: ls -ald /Applications/Messages.app If anything is returned, this is a finding.
Discussion
The application Messages must be removed.
Fix
To remove Messages, run the following command: sudo rm -Rf /Applications/Messages.app
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00405: The auditing tool, auditreduce, must be the one provided by Apple, Inc.
Run the following command to ensure the audit tool, auditreduce has the correct signed hash value: sudo codesign -dvvv /usr/sbin/auditreduce 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "3b7644bca759043242925af1e6c1c4f4f7dadbae". If it differs, this is a finding.
Discussion
The auditing tool, auditreduce, should be the one provided by Apple, Inc.
Fix
If the check fails, you will need to obtain the correct files from the original 10.8 installation media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00170: The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep aa The authentication events are logged via the "aa" flag. If "aa" is not listed in the result of the check, this is a finding.
Discussion
The auditing system must be configured to audit authentication and authorization events.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01110: All public directories must be owned by root or an application account.
To display all directories that are writable by all, run the following command: sudo find / -type d -perm -1002 -not -uid 0 If anything is returned, this is a finding.
Discussion
All public directories must be owned by root or an application account.
Fix
To change the ownership of any finding, run the following command: sudo find / -type d -perm -1002 -not -uid 0 -exec chown root {} \;
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01005: All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.
To list all of the accounts on the system and their defined home directories, run the following command: sudo dscl . -list /users NFSHomeDirectory For all non-system users, validate the ownership of each user's home directory by running the following command: sudo ls -ld [home directory] If the folder is not group-owned by a group that a user is not a member of, this is a finding.
Discussion
All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is not a member.
Fix
To change the group-ownership of the home directory and files, run the following command: sudo chgrp -R [group] /Users/username
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01251: Video recording support software must be disabled.
To check if the video recording plugins are installed, run the following commands: sudo ls -l /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo ls -l /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo ls -l /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC If any of the files exist, this is a finding.
Discussion
Video recording support software must be disabled.
Fix
To remove video recording support, run the following commands: sudo rm -rf /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer;sudo rm -rf /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC; sudo rm -rf /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC These commands cannot be undone.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01210: The system must not send IPv4 ICMP redirects by default.
To check if the system is configured to send ICMP redirects, run the following command: sysctl net.inet.ip.redirect | awk '{ print $NF }' If the value is not set to "0", this is a finding.
Discussion
The system must not send IPv4 ICMP redirects by default.
Fix
To disable ICMP redirects, add the following line to /etc/sysctl.conf: net.inet.ip.redirect=0
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00760: The operating system must take corrective actions, when unauthorized mobile code is identified.
To check to make sure the user cannot override Gatekeeper settings, type the following code: system_profiler SPConfigurationProfileDataType | grep DisableOverride | awk '{ print $3 }' | sed 's/;//' If the returned value is not "1", this is a finding.
Discussion
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00617: The RevocationFirst option must be set correctly.
To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep RevocationFirst | awk '{ print $3 }' | sed 's/;//' The result should be "OCSP". If nothing is returned or the result is incorrect, this is a finding.
Discussion
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00630: The password-related hint field must not be used.
To check if Password hints are turn on, run the following command: system_profiler SPConfigurationProfileDataType | grep RetriesUntilHint | awk '{ print $3 }' | sed 's/;//' If the result is not "0" or not defined, this is a finding.
Discussion
The password-related hint field must not be used.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00040: The operating system must use cryptography to protect the integrity of remote access sessions.
The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. If cryptography is not used to protect these sessions, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.
Fix
To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01000: The sudoers file must be configured to require authentication on every use.
To check the timestamp_timeout value, run the following command : sudo grep timestamp_timeout /etc/sudoers If this setting is not defined, or defined for a value other than "0", this is a finding.
Discussion
Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits the use of the sudo command to a single command per authentication.
Fix
Edit the /etc/sudoers file to contain the line "Defaults timestamp_timeout=0"
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00142: The NFS lock daemon must be disabled.
To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.lockd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Fix
To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.lockd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00515: The application Mail must be removed.
To check for the existence of Mail, run the following command: ls -ald /Applications/Mail.app If anything is returned, this is a finding.
Discussion
The application Mail must be removed.
Fix
To remove Mail run the following command: sudo rm -Rf /Applications/Mail.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00990: Device files and directories must only be writable by users with a system account or as configured by the vendor.
To view the list of device files that are on the system, run the following command: sudo find / -perm -2 -a \( -type b -o -type c \) Check the permissions on the directories above subdirectories of the returned items. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding.
Discussion
Device files and directories must only be writable by users with a system account or as configured by the vendor.
Fix
To remove the writable option for other users, run the following command: sudo chmod o-w [path to device file]
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01190: The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
To check if the system is configured to respond to ICMP echoes, run the following command: sudo sysctl net.inet.icmp.bmcastecho | awk '{ print $NF }' If the value is not set to "1", this is a finding.
Discussion
The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.
Fix
To disable ICMP responses to broadcast traffic add the following line to /etc/sysctl.conf: net.inet.icmp.bmcastecho=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00080: Bluetooth support software must be disabled.
To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.
Discussion
Bluetooth support software must be disabled.
Fix
Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo touch /System/Library/Extensions
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00915: Shared User Accounts must be disabled.
Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account [which provides no individual identification and accountability] is mitigated.
Discussion
Shared User Accounts must be disabled.
Fix
Remove, disable, or document with the IAO all shared accounts.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00475: The application FaceTime must be removed.
To check for the existence of FaceTime, run the following command: ls -ald /Applications/FaceTime.app If anything is returned, this is a finding.
Discussion
The application FaceTime must be removed.
Fix
To remove FaceTime, run the following command: sudo rm -Rf /Applications/FaceTime.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01270: Internet Sharing must be disabled.
To check if Internet sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.InternetSharing:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Internet Sharing must be disabled.
Fix
To disable Internet Sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.InternetSharing" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00143: The NFS stat daemon must be disabled.
To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.statd.notify:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Fix
To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.statd.notify" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00465: The application PhotoBooth must be removed.
To check for the existence of Photo Booth, run the following command: ls -ald /Applications/Photo\ Booth.app If anything is returned, this is a finding.
Discussion
The application Photo Booth must be removed.
Fix
To remove Photo Booth, run the following command: sudo rm -Rf /Applications/Photo\ Booth.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01145: All setuid executables on the system must be vendor-supplied.
To list all of the files with the setuid bit set, run the following command: sudo find / -perm 4000 -exec ls -ldb {} \; If any of the files listed are not documented as needing to have the setuid bit set by the vendor, this is a finding
Discussion
All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs allowing reading and writing of files, or shell escapes. Only default vendor-supplied executables should have the setuid bit set.
Fix
Document all of the files with the setuid bit set.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00365: The audit log folder must be owned by root:wheel.
To check the ownership of the audit log files, run the following command: sudo -s ls -dn `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2}'`| awk '{ print $3 ":" $4 }' The results should be "0:0". This command shows the UID and GID of the audit logs directory, with the first "0" being root, and the second "0" being wheel. If there is any other result, this is a finding.
Discussion
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Fix
If the audit log folder is not owned by root:wheel, run the following command: sudo chown root:wheel /var/audit
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00950: The OS X firewall must have logging enabled.
To check if the OS X firewall has logging enabled, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | grep on If the result is not enabled, this is a finding.
Discussion
Firewall logging must be enabled. This requirement is NA if HBSS is used.
Fix
To enable the firewall logging, run the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00205: The audit log folder must have correct permissions.
To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.
Discussion
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Fix
For every log file that returns incorrect permissions, run the following command: sudo chmod 440 [audit log file] where [audit log file] is the full path of the log file that needs to be modified.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00395: The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
To check the location of the audit log files, run the following command: sudo ls -ld `sudo grep "^dir" /etc/security/audit_control | sed 's/dir://'` The default location is /var/audit. If this is not defined or defined incorrectly, this is a finding.
Discussion
Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.
Fix
Edit the /etc/security/audit_control file to define the directory for audit logs.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00460: Application Restrictions must be enabled.
To check if there is a configuration policy defined for Application Restrictions, run the following command: sudo profiles -Pv | grep "Application Restrictions" If nothing is returned, this is a finding.
Discussion
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions) and will reduce the attack surface of the operating system. End-users should be restricted to running only approved applications.
Fix
A configuration profile should exist to restrict launching of applications.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00500: The application App Store must be removed.
To check for the existence of App Store, run the following command: ls -ald /Applications/App\ Store.app If anything is returned, this is a finding.
Discussion
The application App Store must be removed.
Fix
To remove App Store, run the following command: sudo rm -Rf /Applications/App\ Store.app
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01150: iTunes Radio must be disabled.
To check if the iTunes radio is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableRadio | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.
Discussion
iTunes Radio must be disabled.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01055: iTunes Store must be disabled.
To check if the iTunes store is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableMusicStore | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.
Discussion
iTunes Store must be disabled.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00140: Apple File Sharing must be disabled.
To check if file sharing is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AppleFileServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.
Fix
To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AppleFileServer" '{ "Disabled" = 1; }'
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01185: The centralized process core dump data directory must be group-owned by admin.
To check the group ownership of the process core dump directory, run the following command: sudo ls -ld /Library/Logs/DiagnosticReports/ If the group is not "admin", this is a finding.
Discussion
The centralized process core dump data directory must be group-owned by admin.
Fix
To change the group ownership to ""admin run the following command: sudo chgrp admin /Library/Logs/DiagnosticReports/
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01325: The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
To check if the password policy is configured to disabled an account within 15 minutes of failed attempts, run the following command: sudo pwpolicy -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset If the result is not "minutesUntilFailedLoginReset=15", this is a finding. This is NA for machines bound to a directory server.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Fix
To set the password policy, run the following command: sudo pwpolicy setglobalpolicy "minutesUntilFailedLoginReset=15"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00060: The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.
To check if there are any hardware components for Bluetooth loaded in the system, run the following command: sudo kextstat | grep -i bluetooth If there is a result, this is a finding.
Discussion
Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.
Fix
Removing the kernel extensions for Bluetooth will remove the system's ability to load Bluetooth devices, use the following commands to remove them: sudo rm -Rf /System/Library/Extensions/IOBluetoothFamily.kext; sudo rm -Rf /System/Library/Extensions/IOBluetoothHIDDDriver.kext; sudo reboot
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00375: The audit log folder must not have ACLs.
To check for ACLs of the audit log folder run the following command: ls -le `grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/"}'` | grep -v current The audit log folder listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity"). If the folder contains this information, this is a finding.
Discussion
The audit log folder should not have ACLs.
Fix
If the log folder has an ACL, run the following command: chmod -N [audit log folder] where [audit log folder] is the full path to the log folder in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01135: Spotlight Panel must be securely configured.
To view the folders that are excluded by Spotlight, run the following command: sudo defaults read /.Spotlight-V100/VolumeConfiguration.plist Exclusions If there are no results, or the results don't meet the organizations requirements, this is a finding.
Discussion
Spotlight Panel must be securely configured.
Fix
To add exclusions to the spotlight search, open up System Preferences->Spotlight, and add the folders to the Privacy tab to prevent Spotlight from searching those locations.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01125: The prompt for Apple ID and iCloud must be disabled.
To check if the prompt for Apple ID and iCloud are disabled for new users, run the following command: sudo defaults read /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant If there is no result, or the results do not include "DidSeeCloudSetup = 1 AND LastSeenCloudProductVersion = 10.8", this is a finding.
Discussion
The prompt for Apple ID and iCloud must be disabled.
Fix
To ensure that the prompt for Apple ID and iCloud is disabled, run the following commands: sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE; sudo defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "10.8"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01265: The Operating System must be current and at the latest release level.
To check which software update are available for the system, run the following command: sudo softwareupdate --list --all Review the results and determine if any updates need to be applied. If there are any required updates that have not been applied, this is a finding.
Discussion
The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.
Fix
To install software updates, run the following command: sudo softwareupdate --install [name of update]
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00955: Bluetooth devices must not be allowed to wake the computer.
To check if this setting is disabled run the following command as the primary user: defaults -currentHost read com.apple.Bluetooth RemoteWakeEnabled If the return value is "1", this is a finding.
Discussion
Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer.
Fix
This control needs to be manually changed on the computer by opening System Preferences->Bluetooth, Click Advanced, and make sure the "Allow Bluetooth devices to wake this computer" is not checked.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01100: Fast User Switching must be disabled.
To check if Fast User Switching is enabled, run the following command: system_profiler SPConfigurationProfileDataType | grep MultipleSessionEnabled | awk '{ print $3 }' | sed 's/;//' If the setting is not "0", this is a finding.
Discussion
Fast User Switching must be disabled.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00020: The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
To check if the system has the correct setting in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "askForPassword" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.
Discussion
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. Once invoked, the session lock shall remain in place until the user reauthenticates. No other system activity aside from reauthentication can unlock the system.
Fix
To enforce this setting, it must be configured using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01200: The system must ignore IPv4 ICMP redirect messages.
To check if the system is configured to ignore ICMP redirect messages, run the following command: sysctl -a net.inet.icmp.drop_redirect | awk '{ print $NF }' If the value is not "1", this is a finding.
Discussion
The system must ignore IPv4 ICMP redirect messages.
Fix
To configure the system to ignore ICMP redirect messages, add the following line to /etc/sysctl.conf: net.inet.icmp.drop_redirect=1
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00975: Remote Apple Events must be disabled.
To check if Remote Apple Events is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.AEServer:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Remote Apple Events must be disabled.
Fix
To disable Remote Apple Events, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.AEServer" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00480: The application Game Center must be removed.
To check for the existence of Game Center, run the following command: ls -ald /Applications/Game\ Center.app If anything is returned, this is a finding.
Discussion
The application Game Center must be removed.
Fix
To remove Game Center, run the following command: sudo rm -Rf /Applications/Game\ Center.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00985: User home directories must not have extended ACLs.
To check if the Users home directory has any extended ACLs, run the following command: ls -al /Users Any of the folders that contain a "+" character in the permissions is a finding.
Discussion
User home directories must not have extended ACLs.
Fix
To remove ACLs from a folder, run the following command: sudo chmod -R -N /Users/[username] Where [username] is the folder that contains ACLs.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00825: System log files must not contain ACLs.
This command checks for log files that exist on the system and prints out the list of ACLs if there are any. ls -le `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity" If any file contains this information, this is a finding.
Discussion
System log files should not contain ACLs.
Fix
For any log file that returns an ACL, run the following command: chmod -N [log file] where [log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00120: The operating system must support the requirement to automatically audit on account creation.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.
Discussion
Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and if required notifies administrators. Such a process greatly reduces the risk of accounts being created outside the normal approval process and provides logging that can be used for forensic purposes. Additionally, the audit records of account creation can be compared to the known approved account creation list.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00305: The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded then events that subsequently occur will not be recorded.
Fix
To set the value for "minfree" in the "audit_control" configuration file, run the following command: sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control; sudo audit -s
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01060: An Emergency Administrator Account must be created.
To check to see if UIDs below "500" are hidden, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow Hide500Users If the result is not "1", this is a finding.
Discussion
An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location. This emergency account should have a UID less than "500", and be hidden from view.
Fix
To hide user accounts below "500", run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00450: Configuration profiles must be applied to the system.
To check if the computer has a configuration profile applied to the workstation, run the following command: sudo profiles -H If there are no profiles installed, this is a finding.
Discussion
Configuration settings are the configurable security-related parameters of the operating system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Rather than visiting each and every system when making configuration changes, organizations will employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.
Fix
Obtain a configuration profile from an MDM or trusted provider containing the configuration settings required to be applied.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00532: Find My Mac messenger must be disabled.
To check if Find My Mac messenger is disabled on the system, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.findmymacmessenger:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Find My Mac messenger must be disabled.
Fix
To disable Find My Mac messenger, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.findmymacmessenger" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00141: The NFS daemon must be disabled.
To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.nfsd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations. NFS should be disabled.
Fix
To disable file sharing, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.nfsd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00855: The Apple Storage Drivers must be removed or disabled.
This command checks for the presence of the Apple Storage Drivers kext file. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/AppleStorageDrivers.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.
Discussion
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.
Fix
To remove the Apple Storage Drivers, run the following command: sudo rm -Rf /System/Library/Extensions/AppleStorageDrivers.kext This should be enforced by a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01260: Secure virtual memory must be used.
To check if the system is using secure virtual memory run the following command: sudo sysctl vm.swapusage | awk '{ print $NF }' If the result does not show (encrypted), this is a finding.
Discussion
Secure virtual memory must be used.
Fix
To ensure secure virtual memory is secure, run the following command: sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -bool FALSE
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00310: The operating system must provide a real-time alert when organization-defined audit failure events occur.
To verify that the system log is writing audit failure or warnings run the following command: sudo grep logger /etc/security/audit_warn If this does not return: logger -p security.warning "audit warning: $@" this is a finding.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations must define audit failure events requiring an application to send an alarm. When those defined events occur, the application will provide a real-time alert to the appropriate personnel.
Fix
Edit the /etc/security/audit_warn file to include the line: logger -p security.warning "audit warning: $@"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00710: The system must allow only applications downloaded from the App Store to run.
To check to make sure only applications downloaded from the App Store are allowed to run, type the following code: system_profiler SPConfigurationProfileDataType | grep AllowIdentifiedDevelopers | awk '{ print $3 }' | sed 's/;//' If the returned value is not "0", this is a finding.
Discussion
Gatekeeper settings must be configured correctly.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01225: Audio recording support software must be disabled.
Disabling the microphone completely will also remove all audio output from the computer. If audio is not a mission requirement check for presence of the following files, presence of any of these files is a finding. ls -l /System/Library/Extensions/AppleUSBAudio.kext /System/Library/Extensions/IOAudioFamily.kext /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext If audio output is required for the mission the only way to disable the microphone and maintain kext file signatures is running the following command to ensure the input volume is 0. The volume can be checked by running the following script: osascript -e 'get volume settings' Any value other than "0" for "input volume" is a finding. Microphone hardware can also be physically removed from the device prior to deployment to meet this requirement.
Discussion
Audio recording support software must be disabled.
Fix
To disable all audio input/output on the device run the following commands: sudo rm -rf /System/Library/Extensions/AppleUSBAudio.kext;sudo rm -rf /System/Library/Extensions/IOAudioFamily.kext;sudo rm -rf /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleMikeyDriver.kext To fix a non "0" input volume on a machine that requires audio output functionality, run this command on a repeating interval or Manually change the input volume to "0": osascript -e 'set volume input volume 0'
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00780: The operating system must protect the confidentiality and integrity of information at rest.
To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.
Discussion
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive). The operating system must ensure the data being written to these devices is protected. In most cases, this is done via encryption.
Fix
Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00840: The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.
The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.
Discussion
The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed.
Fix
This should be configured with a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01240: System Preferences must be securely configured so IPv6 is turned off if not being used.
Run the following command to list all network interfaces and services active on them: networksetup -listallnetworkservices If any enabled network interfaces have IPv6 enabled that do not require the use of IPv6, this is a finding.
Discussion
System Preferences must be securely configured so IPv6 is turned off if not being used.
Fix
Run: networksetup -setv6off Ethernet to turn ipv6 addressing off for the Ethernet interface. Repeat command for each interface that is active, interface names are case sensitive.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00695: The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems includes the ability to access system configuration details, diagnostic information, user information, as well as installation of software.
Fix
To set the "telnet" service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00340: Audit log files must be owned by root:wheel.
To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 $4 ":" $9 }' The results should read "0:0" in the first column. The first 0 is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.
Discussion
Audit log files should be owned by root:wheel.
Fix
For any log file that returns an incorrect permission value, run the following command: chown root:wheel [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01195: The system must not accept source-routed IPv4 packets.
To check if the system is configured to accept source-routed packets, run the following command: sysctl net.inet.ip.accept_sourceroute | awk '{ print $NF }' If the value is not "0", this is a finding.
Discussion
The system must not accept source-routed IPv4 packets.
Fix
To configure the system to not accept source-routed packets, add the following line to /etc/sysctl.conf: net.inet.ip.accept_sourceroute=0
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00619: The CRLSufficientPerCert option must be set correctly.
To check to see if CRL checking is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep CRLSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.
Discussion
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00820: System log files must have the correct permissions.
This command checks for log files that exist on the system and prints out the log with corresponding permissions. stat -f "%A:%N" `grep -v "^#" /etc/newsyslog.conf | awk '{ print $1 }'` 2> /dev/null The correct permissions should be "640" or less permissive. Any file with more permissive settings is a finding.
Discussion
System log files should have the correct permissions.
Fix
For any log file that returns an incorrect permission value, run the following command: chmod 640 [log file] where [log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00195: The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
The policy banner will show if a PolicyBanner.rtf or PolicyBanner.rtfd exists in the /Library/Security folder. Run this command to show the contents of that folder. ls -l /Library/Security | grep PolicyBanner If neither PolicyBanner.rtf nor PolicyBanner.rtfd exists, this is a finding. The text of the document should read "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG -authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Discussion
Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.
Fix
Create a RTF formatted file containing the desired text. Name the file PolicyBanner.rtf or PolicyBanner.rtfd and place it in /Library/Security
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00430: The Security assessment policy subsystem must be enabled.
To check the status of the Security assessment policy subsystem, run the following command: sudo spctl --status | grep enabled If nothing is returned, this is a finding.
Discussion
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical software must be signed with a certificate that is recognized and approved by the organization.
Fix
To enable the Security assessment policy subsystem, run the following command: sudo spctl --master-enable
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-01155: iTunes Podcasts must be disabled.
To check if the iTunes podcasts are disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disablePodcasts | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.
Discussion
iTunes Podcasts must be disabled.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00605: The telnet service must be disabled.
The service "telnet" should be disabled, to check the status of the service, run the following command: sudo /usr/libexec/PlistBuddy -c "print com.apple.telnetd:Disabled" /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't "true" or doesn't exist, this is a finding.
Discussion
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.
Fix
To set the telnet service to disabled, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist "com.apple.telnetd" -dict Disabled -bool true
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00240: The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
The options to configure the audit daemon are located in the /etc/security/audit_contol file. To view the current settings, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' If the flags option is not set, this is a finding.
Discussion
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Fix
To set the audit flags to the recommended setting, run the following command: sed -i.bak 's/^flags.*$/flags:lo,ad,fr,fw,fc,fd,fm,pc,nt,aa/' /etc/security/audit_control You may also edit the /etc/security/audit_control file using a text editor to define the flags your organization requires for auditing.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00510: The application Contacts must be removed.
To check for the existence of Contacts, run the following command: ls -ald /Applications/Contacts.app If anything is returned, this is a finding.
Discussion
The application Contacts must be removed.
Fix
To remove Contacts run the following command: sudo rm -Rf /Applications/Contacts.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01025: Local logging must be enabled.
To check if the newsyslog daemon is disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.newsyslog Disabled If the result shows a "1", this is a finding.
Discussion
Local logging must be enabled.
Fix
To ensure that the newsyslog daemon is not disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/com.apple.newsyslog Disabled -bool FALSE
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00616: The OCSPSufficientPerCert option must be set correctly.
To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPSufficientPerCert | awk '{ print $3 }' | sed 's/;//' The result should be "1". If nothing is returned or the result is incorrect, this is a finding.
Discussion
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01015: The default global umask setting must be changed for user applications.
To view the umask setting, run the following command: awk '{ print $2 }' /etc/launchd-user.conf If the command produces an error, or the result is not "027", this is a finding.
Discussion
The default global umask setting must be changed for user applications.
Fix
To set the umask setting for user applications, run the following command: sudo sh -c "echo 'umask 027' > /etc/launchd-user.conf"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00070: Wi-Fi support software must be disabled.
To check if the Wi-Fi software components are present on the system, run the following command: sudo ls -d /System/Library/Extensions/IO80211Family.kext If there is a result showing the file is present, this is a finding.
Discussion
Wi-Fi support software must be disabled.
Fix
To remove the software component for Wi-Fi support, run the following command: sudo rm -rf /System/Library/Extensions/IO80211Family.kext
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00210: The audit log folder must be owned by root:wheel.
To check the ownership of the audit log files, run the following command: sudo -s ls -n `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | awk '{ print $3 ":" $4 ":" $9 }' The results should read "0:0" in the first column. The first "0" is UID, the second is GID, with the first "0" being root, and the second "0" being wheel. If not, this is a finding.
Discussion
Non-repudiation of actions taken is required in order to maintain integrity. To do this, we will prevent users from modifying the audit logs. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.
Fix
For every log file that is not owned by root, run the following command: sudo chown root:wheel [audit log file] where [audit log file] is the full path of the log file that needs to be modified.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00940: The input menu must not be shown in the login window.
To check if the input menu is available at the login window, run the following command: sudo defaults read /Library/Preferences/com.apple.loginwindow showInputMenu If the setting is not "0", this is a finding.
Discussion
Input menu must not be shown in login window.
Fix
To disable the input menu at the login window, run the following command: sudo defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool FALSE
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01245: Stealth Mode must be enabled on the firewall.
To check if the OSX firewall (not pf.conf) is running in stealth mode run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | awk '{ print $NF }' If the result is "Disabled", this is a finding.
Discussion
Stealth Mode must be enabled on the firewall.
Fix
To enable the firewall stealth mode, run the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00055: The operating system must enforce requirements for remote connections to the information system.
Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.
Discussion
The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.
Fix
Install an approved HBSS or firewall solution onto the system.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01140: iTunes Music Sharing must be disabled.
To check if the iTunes music sharing is disabled, run the following command: system_profiler SPConfigurationProfileDataType | grep disableSharedMusic | awk '{ print $3 }' | sed 's/;//' If the value returned is not "1", this is a finding.
Discussion
iTunes Music Sharing must be disabled.
Fix
This can be enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00335: Audit Log files must have the correct permissions.
To check the permissions of the audit log files, run the following command: sudo -s stat -f "%A:%N" `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current The results should show the permissions (first column) to be "440" or less permissive. If not, this is a finding.
Discussion
If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit Log files should have the correct permissions. To ensure the veracity of audit data the operating system must protect audit information from unauthorized access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include ensuring log files have the proper file system permissions utilizing file system protections and limiting log data location. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Fix
For any log file that returns an incorrect permission value, run the following command: chmod 440 [audit log file] where [audit log file] is the full path to the log file in question.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00481: The application Game Center must be disabled.
To check if a configuration profile is configured to disable Game Center, run the following command: system_profiler SPConfigurationProfileDataType | grep GKFeatureGameCenterAllowed | awk '{ print $3 }' | sed 's/;//' If the result is not "0", this is a finding. This requirement is N/A if requirement OSX8-00-00480 is met.
Discussion
The application Game Center must be disabled.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00700: The operating system must employ cryptographic mechanisms to protect information in storage.
To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is "OFF", this is a finding.
Discussion
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.
Fix
Open System Preferences->Security and Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00920: A password must be required to unlock each System Preference Pane.
To check if the status of the System Preference Pane authorization requirements, run the following command: sudo security authorizationdb read system.preferences | grep -A1 shared If the results display "true" this is a finding.
Discussion
A password must be required to access locked System Preferences.
Fix
To set the system to require a password to unlock every System Preference Pane, open System Preferences->Security & Privacy->Advanced, and make sure the box is checked to "Require an administrator password to access locked preferences".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00390: The operating system must protect audit tools from unauthorized deletion.
The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are deleted, it would affect the administrator's ability to access and review log data.
Fix
To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00520: The system preference panel iCloud must be removed.
To check for the existence of the iCloud preference panel, run the following command: ls -ald /System/Library/PreferencePanes/iCloudPref.prefPane If anything is returned, this is a finding.
Discussion
The system preference panel iCloud must be removed.
Fix
To remove the iCloud preference pane run the following command: sudo rm -Rf /System/Library/PreferencePanes/iCloudPref.prefPane
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00795: A host-based firewall must be installed.
Ask the SA or IAO if an approved firewall is loaded on the system. The recommended system is the McAfee HBSS. If there is no local firewall installed on the system, this is a finding.
Discussion
Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation on the public internet.
Fix
Install an approved HBSS or firewall solution onto the system.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00930: The login window must be configured to prompt for username and password, rather than show a list of users.
To check if the login window is configured to prompt for user name and password, run the following command: system_profiler SPConfigurationProfileDataType | grep SHOWFULLNAME | awk '{ print $3 }' | sed 's/;//' If this setting is not defined, or not set to "1", this is a finding.
Discussion
The login window must be configured to prompt for username and password, rather than show a list of users.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01065: The root account must be the only account having a UID of 0.
To list all of the accounts with a UID of "0", run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not "1", this is a finding.
Discussion
The root account must be the only account having a UID of "0".
Fix
Investigate as to why any additional accounts were set up with a UID of "0".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00530: Sending diagnostic and usage data to Apple must be disabled.
The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage. If the box that says "Send diagnostic & usage data to Apple" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep AutoSubmit | awk '{ print $3 }' | sed 's/;//' If the result is not "AutoSubmit = 0;" this is a finding.
Discussion
Sending diagnostic and usage data to Apple must be disabled.
Fix
The setting is found in System Preferences->Security & Privacy->Diagnostics & Usage Uncheck the box that says "Send diagnostic & usage data to Apple. This setting can be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00535: Location Services must be disabled.
The setting is found in System Preferences->Security & Privacy->Location Services. If the box that says "Enable Location Services" is checked, this is a finding. To check if a configuration profile is configured to enforce this setting, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableLocationServices | awk '{ print $3 }' | sed 's/;//' If the result is not "1" this is a finding.
Discussion
Location Services must be disabled.
Fix
The setting is found in System Preferences->Security & Privacy->Location Services. Uncheck the box that says "Enable Location Services". This setting can be enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00130: The operating system must automatically audit account disabling actions.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep ad The account creation events are logged by way of the "ad" flag. If "ad" is not listed in the result of the check, this is a finding.
Discussion
When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events affecting user accessibility and operating system processing, the operating system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01180: The centralized process core dump data directory must have mode 0750 or less permissive.
To check the permissions of the process core dump directory, run the following command: sudo stat -f %A /Library/Logs/DiagnosticReports/ If the permissions are not "0750", this is a finding.
Discussion
The centralized process core dump data directory must have mode "0750' or less permissive.
Fix
To change the permissions of the directory, run the following command: sudo chmod 0750 /Library/Logs/DiagnosticReports/
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00495: The application image capture must be removed.
To check for the existence of Image Capture, run the following command: ls -ald /Applications/Image\ Capture.app If anything is returned, this is a finding.
Discussion
The application Image Capture must be removed.
Fix
To remove Image Capture, run the following command: sudo rm -Rf /Applications/Image\ Capture.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01355: The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
The check with display the settings for the audit control system. To view the setting, run the following command: sudo grep policy /etc/security/audit_control | grep ahlt If there is no result, this is a finding.
Discussion
It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. In order for the audit control system to shut down when an audit processing failure occurs, the setting "ahlt" must be configured. The default setting is "cnt" which allows the system to continue running in the event of an audit processing failure.
Fix
Edit the /etc/security/audit_control file, and change the value for policy to include the setting "ahlt".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00995: The sudoers file must be configured to authenticate users on a per-tty basis.
To check if the tty_tickets option is set for sudo, run the following command: sudo grep tty_tickets /etc/sudoers If there is no result, this is a finding.
Discussion
Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits authorization to the terminal in which authentication occurred.
Fix
Edit the /etc/sudoers file to contain the line "Defaults tty_tickets"
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00200: The operating system, upon successful logon, must display to the user the date and time of the last logon (access).
To see if SSH is configured to display the last login information, run the following command: grep ^PrintLastLog /etc/sshd_config | awk '{ print $2 }' If there is no result returned, or is "no", this is a finding.
Discussion
Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
Fix
To set the SSH server to print the last login information, run the following command: sudo sed -i.bak 's/.*PrintLastLog.*/PrintLastLog yes/' /etc/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00410: The auditing tool, audit, must be the one provided by Apple, Inc.
Run the following command to ensure the audit tool, audit has the correct signed hash value: sudo codesign -dvvv /usr/sbin/audit 2>&1 | grep CDHash | sed 's/CDHash=//' The result should be "e23e7f63cdef9c1844390a3c8f32122b671b68d3". If it differs, this is a finding.
Discussion
The auditing tool, audit, should be the one provided by Apple, Inc.
Fix
If the check fails, you will need to obtain the correct files from the original 10.8 installation media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-02050: Airdrop must be disabled.
To check if Airdrop has been disabled, run the following command: sudo system_profiler SPConfigurationProfileDataType | grep DisableAirDrop | awk '{ Print $3 }' | sed 's/;//' If the result is not "1", this is a finding.
Discussion
Airdrop must be disabled.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01230: The root account must be disabled for interactive use.
To check if the root user has been enabled, run the following command: sudo dscl . -read /Users/root AuthenticationAuthority If the result does not return "No such key: AuthenticationAuthority", this is a finding.
Discussion
The root account must be disabled for interactive use.
Fix
To disable the root user account, run the following command: sudo dsenableroot -d
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00090: Automatic actions must be disabled for blank DVDs.
To check if the system has the correct setting for blank DVDs in the configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.digihub.blank.dvd.appeared" | grep "action" | awk '{ print $3 }' | sed 's/;//' The check should return a value of "1". If this is not defined or not set to "1", this is a finding.
Discussion
Automatic actions must be disabled for blank DVDs.
Fix
This setting must be configured using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00385: The operating system must protect audit tools from unauthorized modification.
The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative that audit tools be controlled and protected from unauthorized modification.
Fix
To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00330: The network time server must be an authorized DoD time source.
To display the server used to synchronize time with, run the following command: systemsetup -getnetworktimeserver If the incorrect organizationally-defined server is listed, this is a finding.
Discussion
The system must be configured to set the time automatically from a network time server. The network time server must be an authorized DoD time source.
Fix
To define the server to use for time synchronization, run the following command: sudo systemsetup -setnetworktimeserver <IP or FQDN> where <IP or FQDN> is the IP address or fully qualified domain name of the time server to use.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01050: Active Directory Access must be securely configured to encrypt all packets.
To view the configuration for Active Directory, run the following command: sudo dsconfigad -show If the Packet encryption option is not set to "Required", this is a finding. If the system is not using the built-in Active Directory plug-ins, this requirement is NA.
Discussion
Active Directory Access must be securely configured to encrypt all packets.
Fix
To set the Active Directory configuration to require encryption of packets, run the following command: sudo dsconfigad -packetencrypt require
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00505: The application Calendar must be removed.
To check for the existence of the Calendar application run the following command: ls -ald /Applications/Calendar.app If anything is returned, this is a finding.
Discussion
The application Calendar must be removed.
Fix
To remove Calendar, run the following command: sudo rm -Rf /Applications/Calendar.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01275: Web Sharing must be disabled.
To check if Web Sharing is enabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/org.apache.httpd.plist Disabled If the result is not "1", this is a finding.
Discussion
Web Sharing must be disabled.
Fix
To disable Web Sharing, run the following command: sudo defaults write /System/Library/LaunchDaemons/org/apache.httpd.plist Disabled -bool TRUE
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00045: The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep nt The network are logged by way of the "nt" flag. If "nt" is not listed in the result of the check, this is a finding.
Discussion
Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. Remote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any operating system providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information.
Fix
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,nt/' /etc/security/audit_control
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00715: The SSH daemon ClientAliveInterval option must be set correctly.
To check which the idle timeout setting for SSH sessions, run the following: grep ClientAliveInterval /etc/sshd_config If these setting is not "600", or commented out, this is a finding.
Discussion
This requirement applies to both internal and external networks. Terminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level. The time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.
Fix
In order to make sure that the correct ClientAliveInterval is set correctly, run the following command: sudo sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/sshd_config
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00075: Infrared [IR] support must be removed.
To check if the software support for IR is installed, run the following command: sudo ls -d /System/Library/Extensions/AppleIRController.kext If the result shows the file is present, this is a finding.
Discussion
Infrared [IR] support must be removed.
Fix
To remove support for IR, run the following command: sudo rm -rf /System/Library/Extensions/AppleIRController.kext
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00925: Automatic login must be disabled.
To check if the system if configured to automatically log in, run the following command: system_profiler SPConfigurationProfileDataType | grep DisableAutoLoginClient | awk '{ print $3 }' | sed 's/;//' If the result is not "1", this is a finding.
Discussion
Automatic login must be disabled.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01035: Administrator accounts must be created with difficult-to-guess names.
To list all of the administrator accounts on the system, run the following command: sudo dscl . -read /Groups/admin GroupMembership If any of the resulting accounts contain easy-to-guess names, this is a finding. An example of an easy to guess name would contain "admin" or "administrator".
Discussion
Administrator accounts must be created with difficult-to-guess names.
Fix
Rename any accounts on the system that contain easy to guess names.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00035: The rexec service must be disabled.
The service "rexec" should be disabled, to check the status of the service, run the following command: sudo defaults read /System/Library/LaunchDaemons/exec Disabled If the result is not "1", this is a finding.
Discussion
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections.
Fix
To set the "rexec" service to disabled, run the following command: sudo defaults write /System/Library/LaunchDaemons/exec Disabled 1
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
OSX8-00-00755: The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
To make sure the Xprotect Update service is running, run the following command: sudo launchctl list | grep com.apple.xprotectupdater If there is no result, this is a finding.
Discussion
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Xprotect Update needs to be running.
Fix
The Xprotect mechanism is installed and running by default. Make sure the launch daemon is correctly configured in /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist. If this file doesn't exist, you may need to obtain it from the original install media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01085: Automatic logout due to inactivity must be disabled.
To check if the system is configured to automatically log out after a period of time, run the following command: system_profiler SPConfigurationProfileDataType | grep "com.apple.autologout.AutoLogOutDelay" | awk '{ print $3 }' | sed 's/;//' If the result is not defined (nothing returned) or not "0", this is a finding.
Discussion
Automatic logout due to inactivity must be disabled.
Fix
This setting should be configured with a configuration profile.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-01090: The system must not be allowed to restart after a power failure.
To check if the system is configured to restart automatically after a power loss, run the following command: system_profiler SPConfigurationProfileDataType | grep "Automatic Restart On Power Loss" | awk '{ print $7 }' | sed 's/;//' If the result is not "0", this is a finding.
Discussion
The system must not be allowed to restart after a power failure.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00615: The OCSPStyle option must be set correctly.
To check to see if OCSP is set with a configuration profile, run the following command: system_profiler SPConfigurationProfileDataType | grep OCSPStyle | awk '{ print $3 }' | sed 's/;//' The result should be "BestAttempt". If nothing is returned or the result is incorrect, this is a finding.
Discussion
A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Fix
This is enforced using a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00600: There must be no .netrc files on the system.
To see if there are any ".netrc" files on the system, run the following command: sudo find / -name .netrc If there is anything found, this is a finding.
Discussion
Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. There must be no ".netrc" files on the system.
Fix
To remove any ".netrc" files, run the following command: find / -name .netrc -exec rm {} \;
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00545: Bonjour multicast advertising must be disabled on the system.
To check if multicast advertisements have been disabled, run the following command: sudo defaults read /System/Library/LaunchDaemons/com.apple.mDNSResponder | grep NoMulticastAdvertisements If nothing is returned, this is a finding.
Discussion
Bonjour multicast advertising must be disabled on the system.
Fix
To configure Bonjour to disable multicast advertising, run the following command: sudo /usr/libexec/PlistBuddy -c "Add :ProgramArguments:2 string '-NoMulticastAdvertisements'" /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00485: The application iTunes must be removed.
To check for the existence of iTunes run the following command: ls -ald /Applications/iTunes.app If anything is returned, this is a finding.
Discussion
The application iTunes must be removed.
Fix
To remove iTunes, run the following command: sudo rm -Rf /Applications/iTunes.app
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
OSX8-00-00030: The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
To check to make sure the audit daemon is configured to log all login events, both local and remote, run the following command: sudo grep ^flags /etc/security/audit_control | sed 's/flags://' | tr "," "\n" | grep lo The flag "lo" should be included in the list of flags set. If it is not, this is a finding.
Discussion
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.
Fix
To edit the configuration of the audit daemon flags, open the /etc/security/audit_control file and make sure "lo" is listed in the "flags:" parameter. To programmatically do this, run the following command: sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; sudo audit -s
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00980: All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed.
To check the permissions and ownership of the system files, run the following command: sudo diskutil verifyPermissions / Any results indicating User/Group/Permissions differ is a finding.
Discussion
All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed.
Fix
To correct ownership and permissions of files found in the check, run the following command: sudo diskutil repairPermissions /
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-01465: The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
Ask the SA or IAO if an approved anti-virus solution is loaded on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no local anti-virus solution installed on the system, this is a finding.
Discussion
Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.
Fix
Install an approved anti-virus solution onto the system.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
OSX8-00-00835: The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency determines the state of information system components with regard to flaw remediation.
The system must be defined to use an internal software update server. To check the value of the software update server, run the following command: system_profiler SPConfigurationProfileDataType | grep "CatalogURL" | awk '{ print $3 }' | sed 's/;//' If it is not defined or set to the correct organization-defined value, this is a finding.
Discussion
Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This role is usually assigned to patch management software deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions and the related flaws that require patching. From an operating system requirement perspective, the operating system must perform this or there must be an application installed performing this function.
Fix
This should be configured with a configuration profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None