Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

3.  DISCRETIONARY ACCESS CONTROL 

This section discusses discretionary access control (DAC) and the Identification and 

Authentication (I&A) criteria necessary to ensure that access to system resources is effectively 

managed and controlled for the Mac OS X system. In this sense, it is also discussing 

confidentiality, which consists of assurance that information is not disclosed to unauthorized 

persons, processes, or devices.  This entails the concept of  least privilege  necessary to 

accomplish authorized tasks.  Least privilege includes confidentiality, integrity, and availability, 

and states that users have only the authority to access those resources necessary to perform their 

functions.  DAC places a large part of the responsibility for data confidentially, integrity and 

availability directly into the data owners hands by relegating to the owner the ability to 

determine who can access his data and how they may access it (read, write/delete).  This STIG 

attempts to provide secure methods of accomplishing DAC, and other operations, while still 

protecting the data owner, the data user, and the platform's operating system. 

3.1  User Account Controls 

DOD directives require unique identification for each system user.  Authorized users should be 

granted access only to the resources needed to accomplish the mission.  A user is either an 

individual or an executing process/task that accesses a computer resource. The account name and 

corresponding user identification number (uid) identifies the user.  Typically, uids are assigned 

according to the following scheme: 

  Privileged 

uids generally range from 0 to 20. 

  Application 

uids generally range from 100 to 999. 

  Interactive/normal 

uids generally range above 1000. 

   Some systems reserve uids and gids (group identification numbers) from 0 to 30. 

Security requires individual user accountability.  This precludes the use of shared accounts 

(accounts where multiple users are allowed to log on directly to the same account).  Applications 

may require that a specific account be used for certain administration tasks.  The user will still be 

required to log on with that user's account name and su to the application account.  That action 

retains the individual accountability (through audit files).  If there is an absolute requirement for 

logging directly into an account the IAO will obtain justification and documentation from the 

vendor that states the necessity. 

(OSX1026GEN0006:  CAT IV) The IAO will ensure that shared accounts within the Mac OS 

X server are not being used.  

NOTE:  If shared accounts are need for an application the IAO will document the shared account 

and the application need. 

 (OSX1026GEN0007:  CAT II) The IAO will ensure a shared account within the Mac OS X 

server logon will be accomplished by invoking the su   (switch user) command from an 

individual user's Terminal.  

10

UNCLASSIFIED