MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

service.  If there are unneeded open services, remove them and comment them out in

the /etc/inetd.conf file.

3.1.3  Account Access

Many computer compromises occur as the result of account name and password guessing.

Someone with an automated script that uses repeated logon attempts until the correct account and

password pair are guessed generally does this.  Logon and logout logs (for users as well as root),

session locking, and session disconnect are effective methods of controlling potential malicious

account access.  Some systems do not support account lockout.  Some systems disconnect a

session after three consecutive failed logon attempts.  Some systems allow five attempts before

initiating a session disconnect.  If a system allows five consecutive failed logon attempts before

disconnect, to provide a larger margin of safety, increase the delay between logon attempts to

four seconds, where possible.

(OSX1026GEN0012:  CAT II) The SA will ensure that all logon attempts (both successful

and unsuccessful) will be logged to a system log file (e.g., /var/log/logins.log).

(OSX1026NET0001:  CAT II) The SA will ensure that the systems that support actions based

on three failed logon attempts will be configured for a delay of at least two seconds between

logon attempts.

NOTE:  This is supported on Mac OS X server and with any Mac using authentication from a

Windows Domain.

(OSX1026NET0002:  CAT II) The SA will ensure, after the supported number of consecutive

failed logon attempts for an account, the account is locked until the IAO unlocks it or the

system unlocks it after a minimum 30 minute delay.

 NOTE:  This is supported on Mac OS X server and with any Mac using authentication from a

Windows Domain.

(OSX1026NET0003:  CAT II) The IAO will review the circumstances causing locked

accounts to ensure there are no security concerns.

3.1.4  Inactivity Timeout

Whenever a user is logged on to a Mac OS X system, the system is susceptible to alteration or

damage.  A user may become busy or distracted and inadvertently leave a logon session

unattended or a user process may be left orphaned by some unforeseen circumstance.  Such idle

sessions leave the Mac OS X system vulnerable to unauthorized user exploitation.  Screen lock

programs can be configured to activate if terminals are idle for a specified period.  If a screen

lock device is available, it should be able to be invoked by the user when the user wishes to leave

the terminal unattended.  The IAO and individual users should work together to determine and

implement the correct inactivity timeout for their needs.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved