The owner of the /etc/services file must be root. The services file contains information regarding the known services available in the DARPA Internet. For each service a single line should be present with the following information: official service name, port number, protocol name, aliases.
chown 0: /etc/services
The built in root account is disabled by default and administrator users are required to use sudo to run a process with the UID '0'. If another account with UID '0' exists, this is a sign of a network intrusion or a malicious user that is attempting to circumvent security controls.
Investigate as to why any additional accounts were set up with a UID of '0'.
Library Validation protects processes from loading arbitrary libraries, root from becoming more powerful (root may load arbitrary libraries into any process depending on SIP status).
Running without Library Validation on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by Library Validation.
System b ...
The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
Setting the default v ...
The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk they add to the management complexity, since the value of the service is i ...
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements. Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads.
/usr/bin/defaults write /Users/$USER/Library/Preferences/com.apple.AdLib "allowApplePersonalizedAdvertising" ...
The wake for network access feature enables other users to access a computers shared resources even if the computer is in sleep mode. The macOS benchmark states disabling the "wake for network access" feature could mitigate the risk of an attacker remotely waking the system to gain access to it
pmset -a womp 0
ICMP Timestamp requests reveal information about the system and can be used to determine which operating system is installed. Precise time data can also be used to launch time based attacks against the system. Configuring the system to drop incoming ICMPv4 timestamp requests mitigates these risks.
To disable ICMP timestamp responses, add the following line to /etc/sysctl.conf: