Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


to things such as websites and network shares.   


    


(N/A:  CAT II) The SA will ensure that Mac OS X Keychains are NOT allowed within the 


DOD. 


3.3  Special Privilege Access 


Mac OS X systems provide special privileges that, when assigned to an account, allows the 


owner of the account to modify the security environment, perform auditing tasks, and perform 


functions that could circumvent security requirements.  Therefore, no account will be granted 


privileged access unless authorized by the IAO.  A privileged account is an account with a uid of 


20 or less, or a group with a gid of 19 or less, depending on the system defaults.  This can be 


modified and checked through the Netinfo Manager under the Utilities folder in that 


Applications directory. 


    


(OSX1026SEC0101:  CAT II)  The IAO will authorize all privileged accounts (i.e., accounts 


with a uid less than or equal to 20), but only upon receipt of written documentation signed by 


the user's supervisory personnel.  For DOD, the documentation will be a DD Form 2875 or 


an equivalent form. 


    


(OSX1026SEC0102:  CAT II) The IAM, or site security office, will maintain separate 


documentation to identify all privileged accounts and list the privileges the accounts possess.  


For DOD, all account information will be documented on a DD Form 2875 or an equivalent 


form.  This is both for Mac OS X server and for any special privilege accounts needed on a 


Mac OS X workstation. 


3.3.1  Root Account 


The root account is used to accomplish system administrative functions.  The system uses the 


account to run privileged programs.  Because root enjoys access to all files and programs, root 


has no security constraints. 


By default, the root home directory is  /  which is readable by all Mac OS X  users.  It is 


desirable to have the root home directory in a directory other than  /  to afford root's startup and 


work files the same protection as is afforded to all other users.   


Sites usually designate one or more primary and alternate System Administrators who require 


root access.  The sharing of the root account and password results in a breach of the DODI 


8500.2 IAIA 1/2 security requirements for individual I&A and audit requirements.  Enforcing a 


requirement where users log on with their individual account and use the su   command, can 


minimize the individual breach.  Use of the su   command and the /var/adm/authlog file results in 


the ability to identify a user who uses a shared account (particularly the root account) and to 


audit their actions. 


The only user with a uid of 0 will be root.  If another uid of 0 is in the password file, it may be an 


indication of system compromise.   


There may be several accounts that are root capable (i.e., they are alternate administrators who 


share the root password and are able to switch user to root).  These accounts will be bound by the 


16


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved