MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

same restrictions of the root account.  They will log on to their named accounts.  They will

invoke the  su    command to reach root, if necessary.  Their PATHs will be the same as the

root PATH once the command is completed.  In any case, their personal PATH statement will be

bound by the same restrictions as the root PATH statement.  This restriction protects against the

root capable account accidentally typing  su  instead of  su   , and dragging a default

environment with an incorrect PATH variable along with it.

(OSX1026GEN0026:  CAT II) The IAO will enforce users requiring root privileges to log on

to their personal account and invoke the su   command to switch user to root.

(OSX1026GEN0021:  CAT II) The SA will ensure only root has a uid of 0.

(OSX1026GEN0022:  CAT IV) The SA will ensure root is assigned a home directory other

than  /  (such as /roothome) and the directory will have permanent permissions of 0700.

NOTE:  Do not change the permissions of the  /  directory to anything other than 0755.

(OSX1026GEN0022:  CAT IV) The SA will ensure that the root home directory has

permanent permissions of 0700.

(OSX1026GEN0024:  CAT II) The SA will ensure the root search PATH (and the search path

of root capable accounts) does not contain  . ,  :: , or start or end with a  : .

NOTE:   All are equivalent to  . .

(OSX1026GEN0025:  CAT II) The SA will ensure root's PATH (and the search path of root

capable accounts) does not contain directories or files that are world writable.

(OSX1026GEN0026:  CAT II) The SA will ensure root can only log on  as root  from the

system console, and then, only when necessary to perform system maintenance. This applies

to both Mac OS X server and workstation.

(OSX1026SVR0010:  CAT III) The IAO will ensure when administrators log on to Mac OS X

server as root from the system console, they record all non auditable actions with an entry in

the system log book, recording the date, time action performed, why and whether they were

successful or not.

(OSX1026GEN0027:  CAT II) The SA will ensure successful and unsuccessful root logon and

logout attempts are recorded in a system log file such as /var/adm/syslog,

/var/adm/messages, /var/sulog, etc.

(OSX1026GEN0027:  CAT II) The SA will enforce the requirement for all switch user (su  )

attempts will be logged to the /var/adm/authlog log file.

(OSX1026ADM0005:  CAT II) The IAM, or Security Officer will authorize and document all

root account access privileges.  They will be documented with the IAO.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved