Detections
Analytics

Revision 1.1

Jul 24, 2018
Functional Update
  • AOSX-11-000005 - The system must conceal, via the session lock, info previously visible on the display with a publicly viewable image.
  • AOSX-11-000010 - The operating system must initiate a session lock after a 15-minute period of inactivity.
  • AOSX-11-000020 - The system must retain the session lock until the user reestablishes access using established ident and auth procedures.
  • AOSX-11-000030 - The operating system must monitor remote access methods.
  • AOSX-11-000035 - The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  • AOSX-11-000050 - The rshd service must be disabled.
  • AOSX-11-000055 - The operating system must enforce requirements for remote connections to the information system.
  • AOSX-11-000065 - The Bluetooth software driver must be disabled.
  • AOSX-11-000070 - Wi-Fi support software must be disabled.
  • AOSX-11-000075 - Infrared [IR] support must be disabled.
  • AOSX-11-000085 - Automatic actions must be disabled for blank CDs.
  • AOSX-11-000090 - Automatic actions must be disabled for blank DVDs.
  • AOSX-11-000095 - Automatic actions must be disabled for music CDs.
  • AOSX-11-000100 - Automatic actions must be disabled for picture CDs.
  • AOSX-11-000105 - Automatic actions must be disabled for video DVDs.
  • AOSX-11-000110 - The operating system must automatically remove or disable temporary user accounts after 72 hours.
  • AOSX-11-000115 - The operating system must be configured such that emergency administrator accounts are never automatically disabled.
  • AOSX-11-000120 - The system must generate audit records for all account creations, modifications, disabling, and termination events.
  • AOSX-11-000139 - SMB File Sharing must be disabled unless required.
  • AOSX-11-000140 - Apple File (AFP) Sharing must be disabled.
  • AOSX-11-000141 - The NFS daemon must be disabled unless required.
  • AOSX-11-000142 - The NFS lock daemon must be disabled unless required.
  • AOSX-11-000143 - The NFS stat daemon must be disabled unless required.
  • AOSX-11-000155 - The system firewall must be configured with a default-deny policy.
  • AOSX-11-000186 - The SSH banner must contain the Standard Mandatory DoD Notice and Consent Banner.
  • AOSX-11-000187 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
  • AOSX-11-000195 - Publically accessible connections to system must display the DoD Banner before granting access - 'Banner file exist'
  • AOSX-11-000195 - Publically accessible connections to system must display the DoD Banner before granting access - 'Banner file text'
  • AOSX-11-000200 - The system must generate audit records for DoD defined events.
  • AOSX-11-000230 - The operating system must initiate session audits at system startup.
  • AOSX-11-000295 - The system must allocate audit record storage capacity to store at least one weeks worth of audit records.
  • AOSX-11-000305 - The system must provide an immediate real-time alert of all audit failure events requiring real-time alerts.
  • AOSX-11-000310 - The system must provide an immediate real-time alert of all audit failure events requiring real-time alerts.
  • AOSX-11-000330 - The system must, for networked systems, compare internal system clocks at least every 24 hours with a server.
  • AOSX-11-000331 - Audit log files must be owned by root.
  • AOSX-11-000332 - Audit log folders must be owned by root.
  • AOSX-11-000333 - Audit log files must be group-owned by wheel.
  • AOSX-11-000334 - Audit log folders must be group-owned by wheel.
  • AOSX-11-000335 - Audit log files must be mode 440 or less permissive.
  • AOSX-11-000336 - Audit log folders must have mode 700 or less permissive.
  • AOSX-11-000337 - Log files must not contain ACLs.
  • AOSX-11-000338 - Log folders must not contain ACLs.
  • AOSX-11-000430 - The Security assessment policy subsystem must be enabled.
  • AOSX-11-000435 - The operating system must limit privileges to change software resident within software libraries.
  • AOSX-11-000455 - A configuration profile must be installed.
  • AOSX-11-000460 - The system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
  • AOSX-11-000475 - The application FaceTime must be disabled.
  • AOSX-11-000480 - The application Game Center must be disabled.
  • AOSX-11-000490 - The application Messages must be disabled.
  • AOSX-11-000505 - The application Calendar must be disabled.
  • AOSX-11-000507 - The application Reminders must be disabled.
  • AOSX-11-000510 - The application Contacts must be disabled.
  • AOSX-11-000515 - The application Mail must be disabled.
  • AOSX-11-000517 - The application Notes must be disabled.
  • AOSX-11-000520 - The system preference panels iCloud and Internet Accounts must be disabled. - DisabledPreferencePanes
  • AOSX-11-000520 - The system preference panels iCloud and Internet Accounts must be disabled. - Internet Accounts
  • AOSX-11-000520 - The system preference panels iCloud and Internet Accounts must be disabled. - iCloud
  • AOSX-11-000530 - Sending diagnostic and usage data to Apple must be disabled.
  • AOSX-11-000531 - Find My Mac must be disabled.
  • AOSX-11-000532 - Find My Mac messenger must be disabled.
  • AOSX-11-000535 - Location Services must be disabled.
  • AOSX-11-000545 - Bonjour multicast advertising must be disabled on the system.
  • AOSX-11-000550 - The UUCP service must be disabled.
  • AOSX-11-000565 - System must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
  • AOSX-11-000570 - The system must implement replay-resistant auth mechanisms for network access to privileged and non-privileged accounts.
  • AOSX-11-000585 - Operating systems must enforce password complexity by requiring that at least one numeric character be used.
  • AOSX-11-000587 - The operating system must enforce password complexity by requiring that at least one special character be used.
  • AOSX-11-000590 - The operating system must enforce a minimum 15-character password length.
  • AOSX-11-000605 - The system must implement crypto to protect the integrity and confidentiality of data during transmission of remote access.
  • AOSX-11-000606 - The OS X system must not use unencrypted FTP.
  • AOSX-11-000710 - The system must allow only applications downloaded from the App Store to run. - AllowIdentifiedDevelopers
  • AOSX-11-000710 - The system must allow only applications downloaded from the App Store to run. - EnableAssessment
  • AOSX-11-000711 - End users must not be able to override Gatekeeper settings.
  • AOSX-11-000720 - The SSH daemon ClientAliveInterval option must be set correctly.
  • AOSX-11-000721 - The SSH daemon ClientAliveCountMax option must be set correctly.
  • AOSX-11-000722 - The SSH daemon LoginGraceTime must be set correctly.
  • AOSX-11-000750 - The system must issue or obtain public key certs under an appropriate certificate policy from an approved service provider.
  • AOSX-11-000780 - The system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
  • AOSX-11-000835 - The system must employ auto mechanisms to determine the state of system components with regard to flaw remediation.
  • AOSX-11-000850 - The operating system must restrict the ability of individuals to use USB storage devices. - alert
  • AOSX-11-000850 - The operating system must restrict the ability of individuals to use USB storage devices. - eject
  • AOSX-11-000862 - The usbmuxd daemon must be disabled.
  • AOSX-11-000925 - The operating system must not allow an unattended or automatic logon to the system.
  • AOSX-11-000930 - The login window must be configured to prompt for username and password, rather than show a list of users.
  • AOSX-11-000950 - The OS X firewall must have logging enabled.
  • AOSX-11-000955 - Bluetooth devices must not be allowed to wake the computer.
  • AOSX-11-000965 - Bluetooth Sharing must be disabled.
  • AOSX-11-000975 - Remote Apple Events must be disabled.
  • AOSX-11-000995 - The sudoers file must be configured to authenticate users on a per-tty basis.
  • AOSX-11-001080 - The application firewall must be enabled.
  • AOSX-11-001110 - All public directories must be owned by root or an application account.
  • AOSX-11-001115 - The finger service must be disabled.
  • AOSX-11-001120 - The sticky bit must be set on all public directories.
  • AOSX-11-001125 - The prompt for Apple ID and iCloud must be disabled.
  • AOSX-11-001130 - Users must not have Apple IDs signed into iCloud.
  • AOSX-11-001140 - iTunes Music Sharing must be disabled.
  • AOSX-11-001145 - All setuid executables on the system must be vendor-supplied.
  • AOSX-11-001195 - The system must not accept source-routed IPv4 packets.
  • AOSX-11-001200 - The system must ignore IPv4 ICMP redirect messages.
  • AOSX-11-001205 - IP forwarding for IPv4 must not be enabled.
  • AOSX-11-001206 - IP forwarding for IPv6 must not be enabled.
  • AOSX-11-001210 - The system must not send IPv4 ICMP redirects by default.
  • AOSX-11-001211 - The system must not send IPv6 ICMP redirects by default.
  • AOSX-11-001215 - The system must prevent local applications from generating source-routed packets.
  • AOSX-11-001220 - The system must not process Internet Control Message Protocol [ICMP] timestamp requests.
  • AOSX-11-001235 - Unused network devices must be disabled.
  • AOSX-11-001270 - Internet Sharing must be disabled.
  • AOSX-11-001275 - Web Sharing must be disabled.
  • AOSX-11-001324 - The system must enforce an account lockout of 15 mins. in which three consecutive invalid logon attempts by a user are made
  • AOSX-11-001325 - The system must enforce account lockout after three consecutive invalid logon attempts by a user in a 15 minute time period
  • AOSX-11-001326 - The system must lock the account until the locked account is released by an administrator - maxFailedAttempts
  • AOSX-11-001326 - The system must lock the account until the locked account is released by an administrator - minutesUntilFailedLoginReset
  • AOSX-11-001355 - The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
  • AOSX-11-001465 - The system must employ automated mechanisms to detect the presence of unauthorized software.
  • AOSX-11-002050 - AirDrop must be disabled.
  • AOSX-11-002055 - All users must use PKI authentication for login and privileged access.
  • AOSX-11-002060 - The system must be integrated into a directory services infrastructure.
  • AOSX-11-002085 - Operating systems must enforce a 60-day maximum password lifetime restriction.
  • AOSX-11-002090 - The operating system must prohibit password reuse for a minimum of five generations.
  • AOSX-11-002100 - The operating system must generate audit records when successful/unsuccessful attempts to access/modify privileges occur.
  • AOSX-11-002105 - System log files must be owned by root and group-owned by wheel or admin. - asl
  • AOSX-11-002105 - System log files must be owned by root and group-owned by wheel or admin. - newsyslog.conf
  • AOSX-11-002106 - System log files must be mode 640 or less permissive. - asl
  • AOSX-11-002106 - System log files must be mode 640 or less permissive. - newsyslog.conf
  • AOSX-11-002107 - ACLs for system log files must be set correctly.
  • AOSX-11-002107 - ACLs for system log files must be set correctly. - newsyslog.conf
  • AOSX-11-002110 - The operating system must audit the enforcement actions used to restrict access associated with changes to the system.
  • AOSX-11-002130 - The system must provide an immediate real-time alert of all audit failure events requiring real-time alerts.
Informational Update
  • AOSX-11-000155 - The system firewall must be configured with a default-deny policy.
Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • References updated.
Added
  • DISA_STIG_MacOSX_10.11_v1r6.audit
Removed
  • DISA STIG Apple Mac OSX 10.11 v1r6