2.17.1 Audit Internet Accounts for Authorized Use

Information

Apple provides a section in System Settings to create and display Internet Accounts. Setting up an Internet Account allows the user to configure access to pre-existing accounts that are Internet Accessible. The Internet Accounts section is not managing network access to firewall rules, it only provides a location to manage credentials and audit external accounts for applications that make use of the "Internet Accounts." Some applications, like Thunderbird and Firefox, do not natively use Internet Accounts and store credentials with the application settings. Disabling the Internet Accounts section does not block access if network reachable, it just makes auditing and use more difficult. Depending on the maturity of network controls, auditing the providers listed in Internet Accounts is part of managing acceptable use.

Internet provided services may be restricted in your organization and should be reviewed. Even with an advanced application firewall, the user may not always be using an internal trusted network subject to the organizational firewall. An audit will document which services a user has configured.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:

Perform the following steps to set accounts in Internet Accounts to your organization's requirements:

- Open System Settings
- Select Internet Accounts
- For each account, select the account
- Verify that each sync option is set to your organization's requirements
- (Optional) Select Delete Account... to remove the account
- (Optional) Select Add Account... to add an account to the system

Impact:

Risky services may be identified that are not authorized and will require a recess to work with the user to no longer connect from a managed Mac.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2

Plugin: Unix

Control ID: ffef26f8cba6d13fcda393ecf06bfa2448a5b7dc2ee9439adfdc6d17fa8db9c4