[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*


CCE-91578-5
Audit User Account Deletion When operating system accounts are removed, user accessibility is affected. The system must audit account removal actions so that administrator users can detect and respond to such events. Such a capability greatly reduces the risk that operating system accessibility wil ...

CCE-91532-2
Verify group who owns the file /usr/bin/rsh The group of the rsh executable must be wheel. The rsh utility copies its standard input to the remote command, the standard output of the remote command to its standard output, and the standard error of the remote command to its standard error. Interrupt ...

CCE-91555-3
Extended ACL is applied or not for audit tool executables The audit tool executables should not have extended ACLs.

CCE-91615-5
Require Users to Unlock the Screensaver with their Password Users must be prompted to enter their passwords when unlocking the screensaver. The screensaver acts as a session lock and prevents unauthorized users from accessing the current user's account.

CCE-91570-2
Audit Successful and Unsuccessful Attempts to Change File Permissions(categories of information) The permissions on a file establish which users are permitted to access or modify it. An attacker may attempt to change the permissions on a file to prevent legitimate users from accessing it or to gran ...

CCE-91603-1
Drop Incoming Source-Routed Packets A source-routed packet attempts to specify the network path the packet should take. If the system is not configured to block the incoming source-routed packets, an attacker can redirect the system's network traffic. Configuring the system to drop incoming source- ...

CCE-91506-6
Hide or display the sleep button in the login window Hide or display the sleep button in the login window.

CCE-91529-8
Verify group who owns the file /usr/bin/rlogin The group of the rlogin executable must be root. The rlogin utility starts a terminal session on a remote host.

CCE-91567-8
Audit Successful and Unsuccessful Attempts to Change File Permissions (Security Objects) The permissions on a file establish which users are permitted to access or modify it. An attacker may attempt to change the permissions on a file to prevent legitimate users from accessing it or to grant additi ...

CCE-91521-5
Verify the file permissions of csh init files The permissions of csh init files must be 644.

CCE-91544-7
Extended ACL is applied or not for /etc/resolv.conf fille The /etc/resolv.conf file should not have an extended ACL.

CCE-91582-7
Disable Automatic Actions for Blank DVDs Applications should not be configured to launch automatically when a disk is inserted. This potentially circumvents anti virus software and allows malicious users to craft disks that can exploit user applications. Disabling Automatic Actions for blank DVDs m ...

CCE-91592-6
Disable iTunes Music Sharing When iTunes Music Sharing is enabled, the computer starts a network listening service that shares the contents of the user's music collection with other users in the same subnet. Unnecessary network services should always be disabled because they increase the attack sur ...

CCE-91518-1
Verify the file permissions of init files The permissions of bash init files must be 444 or as appropriate. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users.

CCE-91579-3
Audit User Account Disablement When operating system accounts are disabled, user accessibility is affected. The system must audit account disablement actions so that administator users can detect and respond to such events. Such a capability greatly reduces the risk that operating system accessibil ...

CCE-91510-8
Enable or disable console login as appropriate If console login is enabled, the user can type >console for the user name to get a console login.

CCE-91556-1
Apply Configuration Settings With a Configuration Profile Configuration settings must be verified by a centrally managed system such as an MDM to ensure that they have not been changed. Configuration settings are the configurable security-related parameters of information technology products that a ...

CCE-91533-0
Verify permissions of file /usr/bin/rsh The permissions of the rsh executable must be 555. The rsh utility copies its standard input to the remote command, the standard output of the remote command to its standard output, and the standard error of the remote command to its standard error. Interrupt ...

CCE-91571-0
Maximum password lifetime restriction Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifeti ...

CCE-91614-8
Prevent Users from Logging in as Root Directly Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators should only run commands as root after first authe ...

CCE-91602-3
Drop Incoming ICMPv4 Timestamp Requests ICMP Timestamp requests reveal information about the system and can be used to determine which operating system is installed. Precise time data can also be used to launch time based attacks against the system. Configuring the system to drop incoming ICMPv4 ti ...

CCE-91588-4
Disable Bluetooth Sharing Bluetooth sharing allows users to wirelessly transmit files between Mac OS X and Bluetooth-enabled devices, including personally owned cell phones and tablets. A malicious user might introduce viruses or malware onto the system or extract sensitive files. Disabling Bluetoo ...

CCE-91507-4
Password hints on lock screen Controls when, and if, a password hint is given the user, based on the number of failed login attempts.

CCE-91568-6
Audit Successful and Unsuccessful Attempts to Change File Permissions(Security Levels) The permissions on a file establish which users are permitted to access or modify it. An attacker may attempt to change the permissions on a file to prevent legitimate users from accessing it or to grant addition ...

CCE-91545-4
Verify user who owns the file /etc/services The owner of the /etc/services file must be root. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, ...

CCE-91522-3
Set the Global Umask Setting for Users The default global umask setting must be set to '027' for user applications. The setting '027' ensures that user created files and directories will be readable, but not writable, by users that share the same group id. Users with a different group id will not b ...

CCE-91583-5
Disable Automatic Actions for Music CDs Applications should not be configured to launch automatically when a disk is inserted. This potentially circumvents anti virus software and allows malicious users to craft disks that can exploit user applications. Disabling Automatic Actions for music CDs mit ...

CCE-91560-3
Audit All Logon Events Remote access services, such as those providing remote access to network devices and information systems, increase risk and expose those systems to possible cyber attacks, so all remote access should be closely monitored and audited. Only authorized users should be permitted ...

CCE-91613-0
Prevent Users from Disabling Gatekeeper Gatekeeper must be configured with a configuration profile in order to prevent normal users from overriding its setting. If users are allowed to disable Gatekeeper or set it to a less restrictive setting, then it is possible that malware could be introduced i ...

CCE-91519-9
Verify user who owns the csh init files The owner of csh init files must be root.

CCE-91591-8
Disable IPv4 Forwarding IP forwarding for IPv4 must not be enabled, unless the system is a router, as only authorized systems should be permitted to operate as routers.

CCE-91599-1
Don't Send ICMPv4 Redirect Messages ICMP redirects are broadcast in order to reshape network traffic. A malicious user could use the system to send fake redirect packets and try to force all network traffic to pass through a network sniffer. Disabling ICMP redirect broadcasts mitigates this risk.

CCE-91534-8
Extended ACL is applied or not for /etc/aliases file The /etc/aliases file should not have an extended ACL.

CCE-91557-9
Lock User Accounts after 'n' Failed Login Attempts By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Setting a lockout expiration of 15 minutes ...

CCE-91511-6
Allow or disallow external accounts to be active on a system The setting controls whether external accounts, which are defined and stored on other media (such as USB drives or specified disk partitions), are allowed to be active on a system.

CCE-91572-8
Prevent usage of previously used password Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password ha ...

CCE-91601-5
Drop Incoming ICMPv4 Redirect Messages ICMP redirects are broadcast in order to reshape network traffic. A malicious user could craft fake redirect packets and try to force all network traffic to pass through a network sniffer. If the system is not configured to ignore these packets, it could be su ...

CCE-91500-9
Define the Idle Time for the Login Screen Saver Specifies the maximum time the login window can be inactive before the screen saver starts. This is distinct from a user session's idle time. Setting to 900 seconds (15 minutes) instead of the OEM value of unlimited.

CCE-91587-6
Disable Bluetooth The Bluetooth kernel extension must be removed, as wireless access introduces unnecessary security risks. Removing Bluetooth support entirely mitigates this risk and ensures the operating system enforces this requirement.

CCE-91508-2
Disable inactivity logout Controls whether inactivity logs out a user and, if so, how many minutes are required to trigger logout.

CCE-91609-8
Lock the Screen with a Screensaver after 15 Minutes of Inactivity A screensaver must be enabled and set to require a password to unlock. The timeout should be set to fifteen minutes of inactivity. This mitigates the risk that a user might forget to manually lock the screen before stepping away from ...

CCE-91569-4
Numeric Character in Passwords Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is ...

CCE-91546-2
Verify group who owns the file /etc/services The group of the /etc/services file must be wheel. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name ...

CCE-91523-1
Verify user who owns the file /usr/bin/ipcs The owner of the ipcs executable must be root. The ipcs utility provides information on System V interprocess communication (IPC) facilities on the system.

CCE-91584-3
Disable Automatic Actions for Picture CDs Applications should not be configured to launch automatically when a disk is inserted. This potentially circumvents anti virus software and allows malicious users to craft disks that can exploit user applications. Disabling Automatic Actions for picture CDs ...

CCE-91561-1
Audit Kernel Module Loading and Unloading Kernel modules, called kernel extensions in Mac OS X, are compiled segments of code that are dynamically loaded into the kernel as required to support specific pieces of hardware or functionality. Privileged users are permitted to load or unload kernel exte ...

CCE-91590-0
Disable Infrared [IR] Infrared [IR] kernel support must be disabled to prevent users from controlling the system with IR devices. By default, if IR is enabled, the system will accept IR control from any remote.

CCE-91612-2
Prevent Bluetooth Devices from Waking the Computer Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to wake the computer.

CCE-91558-7
Audit Account Creation Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account. Auditing of account creation mitigates this risk. To address ...

CCE-91512-4
Admin accounts are visible on the login window The setting controls whether admin accounts are visible on the login window.

CCE-91535-5
Extended ACL is applied or not for /etc/group file The /etc/group file should not have an extended ACL.

CCE-91573-6
Audit Successful and Unsuccessful Attempts to Change File Permissions(delete privileges) The permissions on a file establish which users and groups are permitted to access or modify it. An attacker may attempt to change the permissions on a file to prevent legitimate users from accessing it or to g ...

CCE-91550-4
Verify user who owns the files under directory /var/audit The owner of the audit logs must be root.

CCE-91501-7
Hide or display the sleep, restart, and shutdown buttons, in the login window. Hide or display the sleep, restart, and shutdown buttons, as a group, in the login window.

CCE-91509-0
Disable fast user switching Controls whether a user can use the OSX GUI to start or switch to a login session running as another user concurrently.

CCE-91524-9
Verify group who owns the file /usr/bin/ipcs The group of the ipcs executable must be root. The ipcs utility provides information on System V interprocess communication (IPC) facilities on the system.

CCE-91562-9
Audit Privileged Access Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Au ...

CCE-91547-0
Verify permissions of file /etc/services The permissionbs of the /etc/services file must be 0644 or less. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official se ...

CCE-91623-9
Turn on Secure Virtual Memory Secure virtual memory must be enabled. Secure virtual memory ensures that data in memory is encrypted when it is swapped to disk. This prevents users and applications from accessing potentially sensitive information, such as user names and passwords, from the swap spac ...

CCE-91585-0
Disable Automatic Actions for Video DVDs Applications should not be configured to launch automatically when a disk is inserted. This potentially circumvents anti virus software and allows malicious users to craft disks that can exploit user applications. Disabling Automatic Actions for video DVDs m ...

CCE-91600-7
Don't Forward Source-Routed Packets A source-routed packet attempts to specify the network path that the system should take. If the system is not configured to block the sending of source-routed packets, an attacker can redirect the system's network traffic.

CCE-91611-4
Notify when auditing fails The audit service should be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. ...

CCE-91597-5
Disable Wi-Fi if Not Required The kernel extension for Wi-Fi network devices such as Airport must be removed to ensure that users will not be able to reactivate wireless networking at a later time. System updates will sometimes replace deleted kernel extensions. Administrator users may need to peri ...

CCE-91559-5
Audit Account Creation, Modification, and Deletion Account creations and account modfications, such as disablement and termination, can all be signs of an intrusion and should be audited. Once an attacker establishes access to a system, the attacker may attempt to create an account to reestablish a ...

CCE-91513-2
Local user accounts are visible in the login window The setting controls whether local user accounts are visible in the login window.

CCE-91619-7
Set Trash to Securely Erase Items Finder must be configured to always empty Trash securely in order to prevent data recovery tools from accessing the deleted files. Files emptied from the Trash by normal means are still present on the hard drive and can be recovered up until the moment the system o ...

CCE-91536-3
Extended ACL is applied or not for /etc/hosts file The /etc/hosts file should not have an extended ACL.

CCE-91574-4
Audit Successful and Unsuccessful Attempts to Gain Privileged Access Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user acc ...

CCE-91551-2
Verify group who owns the files under directory /var/audit The group of the audit logs must be wheel.

CCE-91622-1
Turn on Firewall Logging Firewall logging must be enabled. This ensures that malicious network activity will be logged to the system. This requirement is NA if HBSS is used.

CCE-91548-8
Verify user who owns the file /etc/syslog.conf The owner of the /etc/syslog.conf file must be root. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the l ...

CCE-91525-6
Verify permissions on /usr/bin/ipcs file The permissions of the ipcs executable must be 511. The ipcs utility provides information on System V interprocess communication (IPC) facilities on the system.

CCE-91586-8
Disable Automatic Logons When automatic logins are enabled, the default user account is automatically logged in at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer in order to log in. Disabling automatic l ...

CCE-91502-5
Hide or display the restart button in the login window. Hide or display the restart button in the login window.

CCE-91563-7
Audit Access Control Enforcement By auditing access restriction enforcement, changes to application and OS configuration files can be audited. Without auditing the enforcement of access restrictions, it will be difficult to identify attempted attacks and an audit trail will not be available for for ...

CCE-91540-5
Extended ACL is applied or not for /etc/syslog.conf file The /etc/syslog.conf file should not have an extended ACL.

CCE-91607-2
Ensure Only root has the UID 0 The built in root account is disabled by default and administrator users are required to use sudo to run a process with the UID '0'. If another account with UID '0' exists, this is a sign of a network intrusion or a malicious user that is attempting to circumvent secu ...

CCE-91610-6
Audit has insufficient storage The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When minfree is set to 25%, security pers ...

CCE-91537-1
Extended ACL is applied or not for /etc/openldap/ldap.conf file The /etc/openldap/ldap.conf file should not have an extended ACL.

CCE-91618-9
Set the Global Umask Setting for the System The default global umask setting must be set to '022' for system processes. The setting '022' ensures that system process created files and directories will only be readable by other users and processes, not writable. This mitigates the risk that unauthor ...

CCE-91514-0
Mobile accounts are visible in the login window The setting controls whether mobile accounts, which synchronize home folders between clients and servers, are visible in the login window.

CCE-91575-1
Audit Successful and Unsuccessful Attempts of all DoD-defined auditable events Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. DoD has defined the list of even ...

CCE-91552-0
Verify permissions for the files under directory /var/audit The permissions of the audit logs must be 0640 or less.

CCE-91621-3
Turn on FileVault Disk Encryption (confidentiality and integrity) FileVault Disk Encryption must be enabled. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. Information at rest refers to the state of information when it is located ...

CCE-91526-4
Verify user who owns the file /bin/rcp The owner of the rcp executable must be root. The rcp utility copies files between machines.

CCE-91549-6
Verify group who owns the file /etc/syslog.conf The group of the /etc/syslog.conf file must be wheel. The syslog.conf file is the configuration file for the syslogd(8) program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the ...

CCE-91503-3
Prompt Users for a Username and Password The login window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users at the login screen. This gives an advantage to an attacker with physical access to the system, as the attacker ...

CCE-91564-5
Audit Administrative actions and changes to configuration settings If events associated with non-local administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associ ...

CCE-91541-3
Extended ACL is applied or not for /private/var/at/cron.allow file The /private/var/at/cron.allow file should not have an extended ACL.

CCE-91606-4
Ensure Audit Logs are Kept for 1 Week or Longer The audit service must be configured to require that records are kept for 7 days or longer before deletion when there is no central audit record storage facility. When expire-after is set to 7d, the audit service will not delete audit logs until the l ...

CCE-91538-9
Extended ACL is applied or not for /etc/passwd file The /etc/passwd file should not have an extended ACL.

CCE-91595-9
Disable the Insecure SSH Version (Non privileged accounts) The SSH Version should be explicity set to Version 2. Version 2 supports strong crypto and was rewritten from scratch to resolve several weaknesses in Version 1 that make it extremely vulnerable to attackers. The weaker crypto in Version 1 ...

CCE-91515-7
Network users are listed in the login window The setting controls whether network users are listed in the login window.

CCE-91576-9
Audit Successful and Unsuccessful Logon Attempts An attacker might attempt to log in as an authorized user, through stolen credentials, unpatched exploits, or brute force attempts to guess a valid username and password. If a user is attempting to log in to a system at an unusual time, or if there a ...

CCE-91553-8
Extended ACL is applied or not for files under /var/audit The audit logs must not have extended ACLs.

CCE-91530-6
Verify permissions of file /usr/bin/rlogin The permissions of the rlogin executable must be 555. The rlogin utility starts a terminal session on a remote host.

CCE-91617-1
Set the SSH Idle Timeout Interval and the Timeout for the Login Prompt SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opport ...

CCE-91620-5
Shut down the Computer if Auditing Fails The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activitity is no longer recorded and malicious activity could go undetected. Audit processing failures include: software/hardwa ...

CCE-91504-1
Hide or display the non-local users list when logging in Controls whether the login window shows a list of non-local (other) users from which to choose when logging in, or shows fields in which a user and a password can be entered.

CCE-91527-2
Verify permissions on /bin/rcp file The permissions of the rcp executable must 555. The rcp utility copies files between machines.

CCE-91565-2
Generate audit records for privileged activities or other system-level access Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can ...

CCE-91542-1
Extended ACL is applied or not for /private/var/at/cron.deny file The /private/var/at/cron.deny file should not have an extended ACL.

CCE-91580-1
Prompt Password for all open sessions The sudo command must be configured to prompt for the administrator user's password at least once in each newly opened Terminal window or remote login session, as this prevents a malicious user from taking advantage of an unlocked computer or an abandoned login ...

CCE-91605-6
Enable Gatekeeper Gatekeeper settings must be configured correctly to only allow the system to run applications downloaded from the Mac App Store. Administator users will still have the option to override these settings on a per app basis. Gatekeeper is a security feature that ensures that applicat ...

CCE-91594-2
Disable the Insecure SSH Version (privileged accounts) The SSH Version should be explicity set to Version 2. Version 2 supports strong crypto and was rewritten from scratch to resolve several weaknesses in Version 1 that make it extremely vulnerable to attackers. The weaker crypto in Version 1 is p ...

CCE-91539-7
Extended ACL is applied or not for /etc/services file The /etc/services file should not have an extended ACL.

CCE-91516-5
Verify user who owns the init files The owner of bash init files must be root. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users.

CCE-91577-7
Audit User Account Creation Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account or modify an existing one. Auditing of account creation an ...

CCE-91554-6
Verify the permissions of the audit configuration files The permissions of the audit configuration files must be 0555 or less.

CCE-91531-4
Verify user who owns the file /usr/bin/rsh The owner of the rsh executable must be root. The rsh utility copies its standard input to the remote command, the standard output of the remote command to its standard output, and the standard error of the remote command to its standard error. Interrupt, ...

CCE-91616-3
Set Minimum Password Length to 15 Characters The minimum password length must be set to 15 characters. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to ...

CCE-91505-8
Hide or display the shutdown button in the login window Hide or display the shutdown button in the login window.

CCE-91543-9
Extended ACL is applied or not for /usr/sbin/traceroute file The /usr/sbin/traceroute file should not have an extended ACL.

CCE-91520-7
Verify group who owns the csh init files The group of csh init files must be wheel.

CCE-91528-0
Verify user who owns the file /usr/bin/rlogin The owner of the rlogin executable must be root. The rlogin utility starts a terminal session on a remote host.

CCE-91581-9
Disable Automatic Actions for Blank CDs Applications should not be configured to launch automatically when a disk is inserted. This potentially circumvents anti virus software and allows malicious users to craft disks that can exploit user applications. Disabling Automatic Actions for blank CDs mit ...

CCE-91566-0
Audit Successful and Unsuccessful Attempts to Change to Another User Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user acc ...

CCE-91604-9
Enable Application Firewall The Application Firewall is the built in firewall that comes with Mac OS X and must be enabled. Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicat ...

CCE-91517-3
Verify group who owns the init files The group of bash init files must be wheel. /etc/profile it is used to set system wide environmental variables on users shells. /etc/bashrc file is meant for setting command aliases and functions used by bash shell users.

CPE    1
cpe:/o:apple:mac_os_x:10.12
*XCCDF
xccdf_org.secpod_benchmark_general_Mac_OS_X_10_12
OVAL    119
oval:org.secpod.oval:def:44170
oval:org.secpod.oval:def:44171
oval:org.secpod.oval:def:44172
oval:org.secpod.oval:def:44177
...

© SecPod Technologies