DISA STIG Apple Mac OSX 10.15 v1r5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Apple Mac OSX 10.15 v1r5

Updated: 3/8/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 142

Audit Items

DescriptionCategories
AOSX-15-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.

CONFIGURATION MANAGEMENT

AOSX-15-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.

CONFIGURATION MANAGEMENT

AOSX-15-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.

CONFIGURATION MANAGEMENT

AOSX-15-000004 - The macOS system must initiate a session lock after a 15-minute period of inactivity.

CONFIGURATION MANAGEMENT

AOSX-15-000005 - The macOS system must be configured to lock the user session when a smart token is removed.

CONFIGURATION MANAGEMENT

AOSX-15-000006 - The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

CONFIGURATION MANAGEMENT

AOSX-15-000007 - The macOS system must be configured to disable hot corners - bottom left

ACCESS CONTROL

AOSX-15-000007 - The macOS system must be configured to disable hot corners - bottom right

ACCESS CONTROL

AOSX-15-000007 - The macOS system must be configured to disable hot corners - top left

ACCESS CONTROL

AOSX-15-000007 - The macOS system must be configured to disable hot corners - top right

ACCESS CONTROL

AOSX-15-000008 - The macOS system must be configured with Wi-Fi support software disabled.

IDENTIFICATION AND AUTHENTICATION

AOSX-15-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions, including transmitted data and data during preparation for transmission, and use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications - OpenSSH version

ACCESS CONTROL

AOSX-15-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions, including transmitted data and data during preparation for transmission, and use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications - SSHD currently running

ACCESS CONTROL

AOSX-15-000011 - The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions, including transmitted data and data during preparation for transmission, and use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications - SSHD service disabled

CONFIGURATION MANAGEMENT

AOSX-15-000012 - The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.
AOSX-15-000014 - The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS) - Network Time On

AUDIT AND ACCOUNTABILITY

AOSX-15-000014 - The macOS system must, for networked systems, compare internal information system clocks at least every 24 hours with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet) and/or the Global Positioning System (GPS) - Network Time Server

CONFIGURATION MANAGEMENT

AOSX-15-000015 - The macOS system must utilize an HBSS solution and implement all DoD required modules.
AOSX-15-000016 - The macOS system must be integrated into a directory services infrastructure.

IDENTIFICATION AND AUTHENTICATION

AOSX-15-000020 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user.

ACCESS CONTROL

AOSX-15-000021 - The macOS system must enforce an account lockout time period of 15 minutes in which a user makes three consecutive invalid logon attempts.

ACCESS CONTROL

AOSX-15-000022 - The macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.

ACCESS CONTROL

AOSX-15-000023 - The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the operating system.

ACCESS CONTROL

AOSX-15-000024 - The macOS system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.

ACCESS CONTROL

AOSX-15-000025 - The macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting GUI access to the system - Banner file

ACCESS CONTROL

AOSX-15-000025 - The macOS system must be configured so that any connection to the system must display the Standard Mandatory DoD Notice and Consent Banner before granting GUI access to the system - Banner text

ACCESS CONTROL

AOSX-15-000030 - The macOS system must be configured so that log files must not contain access control lists (ACLs).

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

AOSX-15-000031 - The macOS system must be configured so that log folders must not contain access control lists (ACLs).

AUDIT AND ACCOUNTABILITY

AOSX-15-000032 - The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup - AuthenticationAuthority

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

AOSX-15-000032 - The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup - DisableFDEAutologin

ACCESS CONTROL

AOSX-15-000032 - The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup - FileVault User

SYSTEM AND COMMUNICATIONS PROTECTION

AOSX-15-000051 - The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.

ACCESS CONTROL

AOSX-15-000052 - The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 0.

ACCESS CONTROL

AOSX-15-000053 - The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.

ACCESS CONTROL

AOSX-15-000054 - The macOS system must implement approved Ciphers to protect the confidentiality of SSH connections..
AOSX-15-000055 - The macOS system must use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
AOSX-15-000056 - The macOS system must implement an approved Key Exchange Algorithm.
AOSX-15-001001 - The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.

AUDIT AND ACCOUNTABILITY

AOSX-15-001002 - The macOS system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur.

AUDIT AND ACCOUNTABILITY

AOSX-15-001003 - The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) - GMT.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

AOSX-15-001010 - The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).

AUDIT AND ACCOUNTABILITY

AOSX-15-001012 - The macOS system must be configured with audit log files owned by root.

AUDIT AND ACCOUNTABILITY

AOSX-15-001013 - The macOS system must be configured with audit log folders owned by root.

AUDIT AND ACCOUNTABILITY

AOSX-15-001014 - The macOS system must be configured with audit log files group-owned by wheel.

AUDIT AND ACCOUNTABILITY

AOSX-15-001015 - The macOS system must be configured with audit log folders group-owned by wheel.

AUDIT AND ACCOUNTABILITY

AOSX-15-001016 - The macOS system must be configured with audit log files set to mode 440 or less permissive.

AUDIT AND ACCOUNTABILITY

AOSX-15-001017 - The macOS system must be configured with audit log folders set to mode 700 or less permissive.

AUDIT AND ACCOUNTABILITY

AOSX-15-001020 - The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.

AUDIT AND ACCOUNTABILITY

AOSX-15-001029 - The macOS system must allocate audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.

AUDIT AND ACCOUNTABILITY

AOSX-15-001030 - The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

AUDIT AND ACCOUNTABILITY