STIGQter STIGQter: STIG Summary: Apple OS X 10.13 Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-96177r1_ruleThe macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SV-96179r1_ruleThe macOS system must be configured to disable hot corners.
SV-96181r1_ruleThe macOS system must be configured to prevent Apple Watch from terminating a session lock.
SV-96183r1_ruleThe macOS system must initiate a session lock after a 15-minute period of inactivity.
SV-96185r1_ruleThe macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
SV-96187r1_ruleThe macOS system must initiate the session lock no more than five seconds after a screen saver is started.
SV-96189r1_ruleThe macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
SV-96191r1_ruleThe macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission.
SV-96193r1_ruleThe macOS system must be configured to disable rshd service.
SV-96195r1_ruleThe macOS system must enforce requirements for remote connections to the information system.
SV-96197r1_ruleThe macOS system must be configured with Bluetooth turned off unless approved by the organization.
SV-96199r1_ruleThe macOS system must be configured with Wi-Fi support software disabled.
SV-96201r1_ruleThe macOS system must be configured with Infrared [IR] support disabled.
SV-96203r1_ruleThe macOS system must be configured with automatic actions disabled for blank CDs.
SV-96205r1_ruleThe macOS system must be configured with automatic actions disabled for blank DVDs.
SV-96207r1_ruleThe macOS system must be configured with automatic actions disabled for music CDs.
SV-96211r1_ruleThe macOS system must be configured with automatic actions disabled for picture CDs.
SV-96213r1_ruleThe macOS system must be configured with automatic actions disabled for video DVDs.
SV-96215r1_ruleThe macOS system must automatically remove or disable temporary user accounts after 72 hours.
SV-96217r1_ruleThe macOS system must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-96219r1_ruleThe macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.
SV-96221r1_ruleThe macOS system must be configured to disable SMB File Sharing unless it is required.
SV-96223r1_ruleThe macOS system must be configured to disable Apple File (AFP) Sharing.
SV-96225r1_ruleThe macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.
SV-96227r1_ruleThe macOS system must be configured to disable the Network File System (NFS) lock daemon unless it is required.
SV-96229r1_ruleThe macOS system must be configured to disable the Network File System (NFS) stat daemon unless it is required.
SV-96231r1_ruleThe macOS system firewall must be configured with a default-deny policy.
SV-96233r1_ruleThe macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system.
SV-96235r1_ruleThe macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
SV-96237r1_ruleThe macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-96239r1_ruleThe macOS system must generate audit records for DoD-defined events such as successful/unsuccessful logon attempts, successful/unsuccessful direct access attempts, starting and ending time for user access, and concurrent logons to the same account from different sources.
SV-96241r1_ruleThe macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.
SV-96243r1_ruleThe macOS system must enable System Integrity Protection.
SV-96245r1_ruleThe macOS system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
SV-96247r1_ruleThe macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
SV-96249r1_ruleThe macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
SV-96251r2_ruleThe macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS).
SV-96253r1_ruleThe macOS system must be configured with audit log files owned by root.
SV-96255r1_ruleThe macOS system must be configured with audit log folders owned by root.
SV-96257r1_ruleThe macOS system must be configured with audit log files group-owned by wheel.
SV-96259r1_ruleThe macOS system must be configured with audit log folders group-owned by wheel.
SV-96261r1_ruleThe macOS system must be configured with audit log files set to mode 440 or less permissive.
SV-96263r1_ruleThe macOS system must be configured with audit log folders set to mode 700 or less permissive.
SV-96265r1_ruleThe macOS system must be configured so that log files must not contain access control lists (ACLs).
SV-96267r1_ruleThe macOS system must be configured so that log folders must not contain access control lists (ACLs).
SV-96269r1_ruleThe macOS system must have the security assessment policy subsystem enabled.
SV-96271r1_ruleThe macOS system must be configured to disable the application FaceTime.
SV-96273r1_ruleThe macOS system must be configured to disable the application Messages.
SV-96275r1_ruleThe macOS system must be configured to disable the iCloud Calendar services.
SV-96277r1_ruleThe macOS system must be configured to disable the iCloud Reminders services.
SV-96279r1_ruleThe macOS system must be configured to disable iCloud Address Book services.
SV-96281r1_ruleThe macOS system must be configured to disable the iCloud Mail services.
SV-96283r1_ruleThe macOS system must be configured to disable the iCloud Notes services.
SV-96285r1_ruleThe macOS system must be configured to disable the camera.
SV-96287r1_ruleThe macOS system must be configured to disable the system preference pane for iCloud.
SV-96289r1_ruleThe macOS system must be configured to disable the system preference pane for Internet Accounts.
SV-96291r1_ruleThe macOS system must be configured to disable the system preference pane for Siri.
SV-96293r1_ruleThe macOS system must be configured to disable Siri and dictation.
SV-96313r2_ruleThe macOS system must be configured to disable sending diagnostic and usage data to Apple.
SV-96315r1_ruleThe macOS system must be configured to disable the iCloud Find My Mac service.
SV-96317r1_ruleThe macOS system must be configured to disable Location Services.
SV-96319r1_ruleThe macOS system must be configured to disable Bonjour multicast advertising.
SV-96321r1_ruleThe macOS system must be configured to disable the UUCP service.
SV-96323r1_ruleThe macOS system must disable the Touch ID feature.
SV-96325r1_ruleThe macOS system must obtain updates from a DoD-approved update server.
SV-96327r1_ruleThe macOS system must not have a root account.
SV-96329r1_ruleThe macOS system must not have a guest account.
SV-96331r1_ruleThe macOS system must unload tftpd.
SV-96333r1_ruleThe macOS system must disable Siri pop-ups.
SV-96335r1_ruleThe macOS system must disable iCloud Back to My Mac feature.
SV-96337r1_ruleThe macOS system must disable iCloud Keychain synchronization.
SV-96339r1_ruleThe macOS system must disable iCloud document synchronization.
SV-96341r1_ruleThe macOS system must disable iCloud bookmark synchronization.
SV-96343r1_ruleThe macOS system must disable iCloud Photo Library.
SV-96345r1_ruleThe macOS system must disable iCloud Desktop And Documents.
SV-96347r1_ruleThe macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
SV-96349r1_ruleThe macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-96351r1_ruleThe macOS system must enforce password complexity by requiring that at least one numeric character be used.
SV-96353r1_ruleThe macOS system must enforce password complexity by requiring that at least one special character be used.
SV-96355r1_ruleThe macOS system must enforce a minimum 15-character password length.
SV-96357r1_ruleThe macOS system must not use telnet.
SV-96359r1_ruleThe macOS system must not use unencrypted FTP.
SV-96361r2_ruleThe macOS system must allow only applications downloaded from the App Store or properly signed to run.
SV-96363r1_ruleThe macOS system must be configured so that end users cannot override Gatekeeper settings.
SV-96365r1_ruleThe macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.
SV-96367r1_ruleThe macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 0.
SV-96369r1_ruleThe macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.
SV-96371r1_ruleThe macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
SV-96373r1_ruleThe macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
SV-96375r1_ruleThe macOS system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously where HBSS is used; 30 days for any additional internal network scans not covered by HBSS; and annually for external scans by Computer Network Defense Service Provider (CNDSP).
SV-96377r1_ruleThe macOS system must restrict the ability of individuals to use USB storage devices.
SV-96379r1_ruleThe macOS system must be configured to not allow iTunes file sharing.
SV-96381r1_ruleThe macOS system must not allow an unattended or automatic logon to the system.
SV-96383r1_ruleThe macOS system logon window must be configured to prompt for username and password, rather than show a list of users.
SV-96385r1_ruleThe macOS firewall must have logging enabled.
SV-96387r1_ruleThe macOS system must be configured so that Bluetooth devices are not allowed to wake the computer.
SV-96389r1_ruleThe macOS system must be configured with Bluetooth Sharing disabled.
SV-96391r1_ruleThe macOS system must be configured to disable Remote Apple Events.
SV-96393r1_ruleThe macOS system must be configured with the sudoers file configured to authenticate users on a per -tty basis.
SV-96395r1_ruleThe macOS Application Firewall must be enabled.
SV-96397r1_ruleThe macOS system must be configured with all public directories owned by root or an application account.
SV-96399r1_ruleThe macOS system must be configured with the finger service disabled.
SV-96401r1_ruleThe macOS system must be configured with the sticky bit set on all public directories.
SV-96403r1_ruleThe macOS system must be configured with the prompt for Apple ID and iCloud disabled.
SV-96405r1_ruleThe macOS system must be configured so that users do not have Apple IDs signed into iCloud.
SV-96407r1_ruleThe macOS system must be configured with iTunes Music Sharing disabled.
SV-96409r1_ruleAll setuid executables on the macOS system must be documented.
SV-96411r1_ruleThe macOS system must not accept source-routed IPv4 packets.
SV-96413r1_ruleThe macOS system must ignore IPv4 ICMP redirect messages.
SV-96415r1_ruleThe macOS system must not have IP forwarding for IPv4 enabled.
SV-96417r1_ruleThe macOS system must not have IP forwarding for IPv6 enabled.
SV-96419r1_ruleThe macOS system must not send IPv4 ICMP redirects by default.
SV-96421r1_ruleThe macOS system must not send IPv6 ICMP redirects by default.
SV-96425r1_ruleThe macOS system must prevent local applications from generating source-routed packets.
SV-96427r1_ruleThe macOS system must not process Internet Control Message Protocol [ICMP] timestamp requests.
SV-96429r1_ruleThe macOS system must have unused network devices disabled.
SV-96431r1_ruleThe macOS system must be configured to disable Internet Sharing.
SV-96433r1_ruleThe macOS system must be configured to disable Web Sharing.
SV-96435r1_ruleThe macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.
SV-96437r1_ruleThe macOS system must enforce account lockout after the limit of three consecutive invalid logon attempts by a user.
SV-96439r1_ruleThe macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.
SV-96441r1_ruleThe macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
SV-96443r1_ruleThe macOS system must use a DoD antivirus program.
SV-96445r1_ruleThe macOS system must be configured to disable AirDrop.
SV-96447r1_ruleThe macOS system must be integrated into a directory services infrastructure.
SV-96449r1_ruleThe macOS system must enforce a 60-day maximum password lifetime restriction.
SV-96451r1_ruleThe macOS system must prohibit password reuse for a minimum of five generations.
SV-96453r1_ruleThe macOS system must be configured with system log files owned by root and group-owned by wheel or admin.
SV-96455r1_ruleThe macOS system must be configured with system log files set to mode 640 or less permissive.
SV-96457r1_ruleThe macOS system must be configured with access control lists (ACLs) for system log files to be set correctly.
SV-96459r1_ruleThe macOS system must audit the enforcement actions used to restrict access associated with changes to the system.
SV-96461r1_ruleThe macOS system must be configured to lock the user session when a smart token is removed.
SV-96463r1_ruleThe macOS system must enable certificate for smartcards.
SV-96465r1_ruleThe macOS system must prohibit user installation of software without explicit privileged status.