Download
| Alert*
oval:org.secpod.oval:def:67457
Apple Mac OS X 10.15 (Catalina) is installed oval:org.secpod.oval:def:67469 Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal. Enabling this feature can minimize the risk of a key logger identifying the keys entered into the Terminal oval:org.secpod.oval:def:67493 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to chang ... oval:org.secpod.oval:def:67497 The owner of the audit logs must be root or as appropriate. oval:org.secpod.oval:def:67510 The Application Firewall is the built in firewall that comes with Mac OS X and must be enabled. Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. oval:org.secpod.oval:def:67515 The owner of bash 'init' files must be root. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. Use chown root /etc/bashrc /etc/profile to to change the owner as appropriate ... oval:org.secpod.oval:def:67489 When automatic logins are enabled, the default user account is automatically logged in at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer in order to log in. Disabling automatic logins mitigates this risk. oval:org.secpod.oval:def:67532 To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating system ... oval:org.secpod.oval:def:67499 The permissions of the audit configuration files must be 0555 or less. In /etc/security, audit_class, audit_control, audit_event, audit_warn, and audit_user permissions set via chmod. oval:org.secpod.oval:def:67494 Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end re ... oval:org.secpod.oval:def:67474 When Printer Sharing is enabled, the computer is established as a print server to accept print jobs from other computers. Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system. Using dedicated print servers or direct IP printing ... oval:org.secpod.oval:def:67504 ICMP redirects are broadcast in order to reshape network traffic. A malicious user could use the system to send fake redirect packets and try to force all network traffic to pass through a network sniffer. Disabling ICMP redirect broadcasts mitigates this risk. oval:org.secpod.oval:def:67506 The audit service must be configured to require that records are kept for 7 days or longer before deletion when there is no central audit record storage facility. When expire-after is set to 7d, the audit service will not delete audit logs until the log data is at least 7 days old. oval:org.secpod.oval:def:67471 Screen sharing is a feature that lets computers on the same network connect to one another and to display the same screen. While sharing screens, the user can control the actions on that computer. The benchmark states that disabling screen sharing mitigates the risk of remote connections being made ... oval:org.secpod.oval:def:67522 The default global umask setting must be set to '027' for user applications. The setting '027' ensures that user created files and directories will be readable, but not writable, by users that share the same group id. Users with a different group id will not be able to read or write those files. Thi ... oval:org.secpod.oval:def:67491 By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation. Enforcement a ... oval:org.secpod.oval:def:67485 Controls when, and if, a password hint is given the user, based on the number of failed login attempts. In loginwindow.plist, set the RetriesUntilHint key = X to show a hint after X login failures, or set the key = 0 to disable hints. oval:org.secpod.oval:def:67463 A filename extension is a suffix added to a base filename that indicates the base filenames file format. Visible filename extensions allow for the user to identify file types and the applications that files are associated with. It would help in identifying malicious files oval:org.secpod.oval:def:67533 Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. If you are NOT using IPv6 disable it. oval:org.secpod.oval:def:67531 The group of bash 'init' files must be wheel. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. Use the command chgrp wheel /etc/bashrc /etc/profile to change group owner a ... oval:org.secpod.oval:def:67458 The root account should be disabled on all macOS systems, and a separate administrator 2252 account should be established for each person who will be performing regular administrative tasks. oval:org.secpod.oval:def:67518 Firewall logging must be enabled. This ensures that malicious network activity will be logged to the system. This requirement is NA if HBSS is used. oval:org.secpod.oval:def:67470 Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. oval:org.secpod.oval:def:67523 The default global umask setting must be set to '027' for user applications. The setting '027' ensures that user created files and directories will be readable, but not writable, by users that share the same group id. Users with a different group id will not be able to read or write those files. Thi ... oval:org.secpod.oval:def:67526 Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators should only run commands as root after first authenticating with their individual user names and p ... oval:org.secpod.oval:def:67468 By automatically installing app store updates in the background, the user safeguarded from potential vulnerabilities in the previous version of the App Store. oval:org.secpod.oval:def:67465 Automatically checking for updates makes it easier for the user to know when updates are available. It is important that a system has the newest updates applied to prevent unauthorized persons from exploiting identified vulnerabilities. oval:org.secpod.oval:def:67484 Specifies the maximum time the login window can be inactive before the screen saver starts. This is distinct from a user session's idle time. Setting to 900 seconds (15 minutes) instead of the OEM value of unlimited. In loginwindow.plist, set the loginWindowIdleTime key = 900. If the key does not ... oval:org.secpod.oval:def:67508 The operating system must enforce a minimum 15-character password length. The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one fact ... oval:org.secpod.oval:def:67503 The owner of the /etc/syslog.conf file must be root. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies ... oval:org.secpod.oval:def:67464 Bonjour is an auto-discovery mechanism for TCP/IP devices that enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled. oval:org.secpod.oval:def:67517 The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity is no longer recorded and malicious activity could go undetected. Audit processing failures include: software/hardware errors; failures in the audit capturing m ... oval:org.secpod.oval:def:67498 The sudo command must be configured to prompt for the administrator user's password at least once in each newly opened Terminal window or remote login session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned login session to bypass the normal password ... oval:org.secpod.oval:def:67486 Controls whether inactivity logs out a user and, if so, how many minutes are required to trigger logout. In .GlobalPreferences.plist, delete the AutoLogoutDelay key to disable inactivity logout. oval:org.secpod.oval:def:67473 Apples File Sharing feature uses a combination of SMB (Windows sharing) and AFP (Mac sharing). According to the benchmark (macOS), by disabling file sharing, the risk of unauthorized access to files stored on the system can be reduced. oval:org.secpod.oval:def:67482 Controls whether a user can use the OSX GUI to start or switch to a login session running as another user concurrently. In .GlobalPreferences.plist, set the MultipleSessionEnabled key to false to disable fast user switching. oval:org.secpod.oval:def:67524 When operating system accounts are removed, user accessibility is affected. The system must audit account removal actions so that administrator users can detect and respond to such events. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for ... oval:org.secpod.oval:def:67509 The kernel extension for Wi-Fi network devices such as Airport must be removed to ensure that users will not be able to reactivate wireless networking at a later time. System updates will sometimes replace deleted kernel extensions. Administrator users may need to periodically check to ensure that t ... oval:org.secpod.oval:def:67514 The owner of the /etc/services file must be root. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, aliases. oval:org.secpod.oval:def:67520 The permissions of csh init files must be 644 or as appropriate. Use the command chmod 644 /etc/csh.cshrc /etc/csh.login /etc/csh.logout to set permissions of csh init files or as appropriate. oval:org.secpod.oval:def:67490 Bluetooth Sharing must be disabled. Bluetooth sharing allows users to wirelessly transmit files between Mac OS X and Bluetooth-enabled devices, including personally owned cell phones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files. Disablin ... oval:org.secpod.oval:def:67467 This setting allows macOS updates to be installed automatically once they are available from Apple. Because patches need to be applied as soon as possible, allowing for automatic updates ensures that the users device is updated in a timely manner rather than be left vulnerable to additional security ... oval:org.secpod.oval:def:67525 If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repa ... oval:org.secpod.oval:def:67495 The permissions of bash 'init' files must be 444 or as appropriate. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users. oval:org.secpod.oval:def:67462 The sudo command lets the user run programs as the root user, granting them high levels of configurability within the system. The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leave ... oval:org.secpod.oval:def:67483 The setting controls whether local user accounts are visible in the login window. In loginwindow.plist, set the SHOWFULLNAME key = true to hide local user accounts. If the key does not exist, user accounts are displayed. oval:org.secpod.oval:def:67512 A source-routed packet attempts to specify the network path the packet should take. If the system is not configured to block the incoming source-routed packets, an attacker can redirect the system's network traffic. Configuring the system to drop incoming source-routed IPv4 packets mitigates this ri ... oval:org.secpod.oval:def:67501 The permissions of the /etc/services file must be 0644 or less. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, ali ... oval:org.secpod.oval:def:67513 SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session ... oval:org.secpod.oval:def:67481 The system must allow only applications downloaded from the App Store to run. Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store. Administrator users will still have the option to override these settings on a per app basis. ... oval:org.secpod.oval:def:67492 Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that deter ... oval:org.secpod.oval:def:67530 The group of the /etc/services file must be wheel. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, aliases. oval:org.secpod.oval:def:67475 NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the users computer. File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer. oval:org.secpod.oval:def:67500 Remote access services, such as those providing remote access to network devices and information systems, increase risk and expose those systems to possible cyber attacks, so all remote access should be closely monitored and audited. Only authorized users should be permitted to remotely access DoD n ... oval:org.secpod.oval:def:67511 ICMP Timestamp requests reveal information about the system and can be used to determine which operating system is installed. Precise time data can also be used to launch time based attacks against the system. Configuring the system to drop incoming ICMPv4 timestamp requests mitigates these risks. oval:org.secpod.oval:def:67479 A custom message that can be displayed at the lock screen and FileVault login screen. Often used to warn people of permitted system actions and possible legal consequences of misuse. The CIS benchmark (macOS) states that displaying an access warning may reduce an attackers tendency to access the sys ... oval:org.secpod.oval:def:67505 A source-routed packet attempts to specify the network path that the system should take. If the system is not configured to block the sending of source-routed packets, an attacker can redirect the system's network traffic. oval:org.secpod.oval:def:67476 DVD or CD sharing allows other users to remotely access the systems optical drive. Disabling this feature will minimize the risk of an attacker accessing the optical drive and using it as a vector to expose sensitive data. oval:org.secpod.oval:def:67529 The group of the /etc/syslog.conf file must be wheel. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifie ... oval:org.secpod.oval:def:67496 The group of the audit logs must be wheel. The audit files are under /var/audit; set the group for each via chgrp. oval:org.secpod.oval:def:67460 Allowing guests to connect to shared folders lets users access such folders from different computers on a network. Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and gaining unauthorized access to the system. oval:org.secpod.oval:def:67488 Infrared [IR] kernel support must be disabled to prevent users from controlling the system with IR devices. By default, if IR is enabled, the system will accept IR control from any remote. oval:org.secpod.oval:def:67472 Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. If the time on the Mac is off by more than 5 minutes, Apples single sign-on feature and active directory logins may be affected. Setting date and time automatically oval:org.secpod.oval:def:67527 The group of csh init files must be wheel. Use the command chown :0 /etc/csh.cshrc /etc/csh.login /etc/csh.logout to change the group owner as appropriate. oval:org.secpod.oval:def:67480 Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps. Unexpected requests, such as ICMP (ping) are ignored. oval:org.secpod.oval:def:67477 The wake for network access feature enables other users to access a computers shared resources even if the computer is in sleep mode. The macOS benchmark states disabling the wake for network access feature could mitigate the risk of an attacker remotely waking the system to gain access to it oval:org.secpod.oval:def:67478 A custom message that can be displayed at the lock screen and FileVault login screen. Often used to warn people of permitted system actions and possible legal consequences of misuse. The CIS benchmark (macOS) states that displaying an access warning may reduce an attackers tendency to access the sys ... oval:org.secpod.oval:def:67507 The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When minfree is set to 25%, security personnel are notified immediately wh ... oval:org.secpod.oval:def:67461 Allowing guests to connect to shared folders lets users access such folders from different computers on a network. Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and gaining unauthorized access to the system. oval:org.secpod.oval:def:67502 ICMP redirects are broadcast in order to reshape network traffic. A malicious user could craft fake redirect packets and try to force all network traffic to pass through a network sniffer. If the system is not configured to ignore these packets, it could be susceptible to this kind of attack. oval:org.secpod.oval:def:67516 IP forwarding for IPv4 must not be enabled, unless the system is a router, as only authorized systems should be permitted to operate as routers. oval:org.secpod.oval:def:67519 The root account must be the only account having a UID of 0. The built in root account is disabled by default and administrator users are required to use sudo to run a process with the UID '0'. If another account with UID '0' exists, this is a sign of a network intrusion or a malicious user that is ... oval:org.secpod.oval:def:67459 The Guest account, a special managed account, is considered a security vulnerability in most situations because it has no password associated with it. oval:org.secpod.oval:def:67521 An attacker might attempt to log in as an authorized user, through stolen credentials, unpatched exploits, or brute force attempts to guess a valid username and password. If a user is attempting to log in to a system at an unusual time, or if there are many failed attempts, there is a possibility th ... oval:org.secpod.oval:def:67528 The owner of 'csh init' files must be root or as appropriate. Use the command chown root /etc/csh.cshrc /etc/csh.login /etc/csh.logout to change the owner as appropriate. oval:org.secpod.oval:def:67466 This control ensures that system and security updates are installed after they are available from Apple. According to the benchmark (macOS), staying up to date on patches is necessary to reduce the risk of vulnerabilities being exploited. oval:org.secpod.oval:def:67487 Hide or display the sleep, restart, and shutdown buttons, in the login window. In loginwindow.plist, set the PowerOffDisabled key = true to hide the buttons. If the key does not exist, buttons are displayed. |