Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


    


(OSX1026SYS: CAT II) The SA will ensure the root account will have a default shell of 


/sbin/sh.   


3.3.2  Groups 


Groups are collections of users with common resource requirements.  Users are given resource 


access by the rights provided to a group.  All users will belong to at least one group.  Systems 


normally reserve gids lower than 20 for privileged system use.  Therefore, the SA will not assign 


users a gid less than 20 unless the user is a privileged user.  All gids that appear in the password 


file will be defined in the group file in order to maintain order and to maintain the integrity of the 


password file and group file.  Only privileged users and groups should have access to kernel 


capabilities.  All User and Groups can be maintained by the Netinfo Manager and there should 


be no need to actually go into the /etc/passwd and /etc/group files. 


    


(OSX1026ADM0010:  CAT II) The IAO will document group membership through DD Form 


2875 or an equivalent form, for all users. 


    


(OSX1026ADM0006:  CAT III) The SA will ensure that every account is assigned to at least 


one group. 


    


(OSX1026ADM0007:  CAT II) The SA will assign unprivileged users to a group with a gid 


greater than 19. 


    


(OSX1026ADM0008:  CAT IV) Every group referenced in the /etc/passwd file will be defined 


in the /etc/group file, this can be done in the terminal or with Netinfo Manager. 


3.4  Resource Controls 


Resource controls are the base capabilities supplied by the Darwin system to control access to 


system level resources.  These include file controls, device controls, printer spool controls, and 


sensitive utility controls. 


3.4.1  File and Directory Controls 


Mac OS X is a multi user system.  This means that multiple users may be concurrently logged on 


to a machine, and those users can read and use files belonging to each other if they have been 


granted permission to do so.  The owner of a file, or root, can grant permissions to a file by 


changing the permission bits, the file owner, or the group that is allowed to access it.  In general, 


however, no user will possess a more permissive access to a file than the owner does.  This is 


referred to as uneven file permissions.  Before a system is connected to a production network and 


after required software has been loaded, a baseline of system and application files and directories 


will be recorded.  The system will be checked weekly, in conjunction with the weekly system file 


baseline check, to ensure that there are no uneven file permissions.  When a need to change the 


basic system file and directory baseline occurs, the SA document the required changes and be 


responsible for generating a new system file baseline after the required changes are approved.  


Every file and directory can be assigned three basic file permissions.  These file permissions are 


as follows: 


18


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved