STIGQter STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must cover or disable the built-in or attached camera when not in use.

DISA Rule

SV-209582r610285_rule

Vulnerability Number

V-209582

Group Title

SRG-OS-000095-GPOS-00049

Rule Version

AOSX-14-002017

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This setting is enforced using the "Restrictions Policy" configuration profile.

Check Contents

If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered or physically disabled, the following configuration is required:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera

If the result is “allowCamera = 1” and the collaborative computing device has not been authorized for use, this is a finding.

Vulnerability Number

V-209582

Documentable

False

Rule Version

AOSX-14-002017

Severity Override Guidance

If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered or physically disabled, the following configuration is required:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera

If the result is “allowCamera = 1” and the collaborative computing device has not been authorized for use, this is a finding.

Check Content Reference

M

Target Key

2930

Comments