Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

Developed by DISA for the DOD 

2.  INTEGRITY 

Sites achieve Mac OS X system integrity by managing the overall processing environment.  

Proper security and system management protects system hardware, software, applications, and 

data from unauthorized access and improper modification and leads to the secure operation of 

Mac OS X systems.  Total system integrity is most vulnerable to malicious intrusion before 

systems have been completely configured for secure operation.  Newly built or configured 

systems could have their data integrity compromised as soon as they are connected to a 

production network if they are not STIG compliant before connection to the production network. 

All Mac OS X systems will conform to the security directives in this STIG before they are 

connected to a production network. 

2.1  Hardware Integrity 

Hardware resources include Central Processing Units (CPUs), Direct Access Storage Devices 

(DASDs), terminals, X terminals, workstations, and printers.  A Security vulnerability may be 

created in the operating environment when any hardware component is incorrectly installed, 

operated, or maintained. 

Controlling access to hardware resources is essential.  Access control reduces the risk of theft, 

damage, and unauthorized access.  Specific installation guidelines apply to classified equipment. 

The operating environment must be capable of protecting the integrity of the hardware through 

physical means.  The following sections define the hardware integrity requirements. 

2.1.1  System Equipment 

The Mac OS X operating system resides on, stores information on, and is accessed by, a number 

of different devices.  The devices associated with the Mac OS X operating system must be 

protected.  A person familiar with Mac OS X, who has physical access to a CPU, can boot the 

system in the single user mode with the default root shell.  In the single user mode, the standard 

Mac OS X Identification and Authentication (I&A) process can be bypassed.  (Configure all 

systems that support the requirement for single user passwords to support that feature.)  

To provide minimal physical protection for other systems and certain peripherals, locate them in 

a controlled access area that requires positive identification (i.e., a swipe card) for entry.  The 

IAO will document and justify all deviations from this requirement.  All systems will be 

furnished with a maintenance log.  Enter all single user and maintenance actions in the 

maintenance log to provide a history of actions that may be needed for possible recovery 

operations. 

(OSX1026PYS0001: CAT II) The IAO will ensure that all Mac OS X system equipment (e.g., 

CPUs, storage devices, consoles) is physically located within a controlled access area. 

(OSX1026PYS0002: CAT II) The IAO will document the location, access method, authorized 

user(s), and reason for placement of any Mac OS X system equipment (e.g., workstations, 

terminals) that is not physically located within a controlled access area. 

4

UNCLASSIFIED