Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

system files will be owned by a privileged user such as root, sys, bin, lp, and others.  Access 

permissions for system files and directories are set up to allow access by privileged users and to 

deny, or strictly limit, access by group owners and the world. 

The italicized bullets below state the requirements for files, directories, and types of files and 

directories.  Daemons refer to the service daemons, network or otherwise, that run in the 

background (or on demand from within inetd.conf) and service user requests.  The telnet daemon 

(telnetd or in.telnetd) is just one example.  System log files refer to logs of system activities, such 

as the /var/log/syslog file, the /var/messages file, and others.  Skeleton dot files refer to the 

default files that are copied into a newly added user s directory to be used as startup files (files 

that condition the user s operating environment such as .profile and .cshrc).  In general, system 

executable files require permissions of 755, or more restrictive. 

System library files (files used when compiling and running programs), manpage files (files that 

contain instructions for executing commands), and shells (programs such as sh and csh that 

determine the overall user operating environment) require access permissions that limit user 

access privileges in order to preserve system integrity.  One other file, that requires special 

protection from malicious intruders in order to protect the account security of every user 

(including root, applications, and application data) is /etc/passwd.  APPENDIX B.  FILE AND 

DIRECTORY PERMISSIONS TABLE, of this document offers the recommended file ownership 

and permission settings for Mac OS X system and device files. 

(OSX1026SVR0011:  CAT II) The SA will check the permissions of all system directories and 

files of Mac OS X servers weekly to ensure there are no uneven file permissions.  The 

exception will be in WWW server directory trees where some files will be allowed a 

permission of 460.    

(OSX1026SVR0012:  CAT II) The SA will ensure that workstations do not host WWW 

servers. 

(OSX1026SVR0013:  CAT III) The SA will ensure that any changes (additions, deletions, and 

modifications) to the Mac OS X server system directory and file permissions baseline are 

documented.    

(OSX1026SVR0014:  CAT II) The SA will perform a Mac OS X server system files baseline 

backup before a Mac OS X system is connected to a network other than an isolated test 

network.  

(OSX1026SVR0015:  CAT II) The SA will ensure a new system files baseline backup of the 

Mac OS X server is generated after changes to system directories and files are applied.  

(OSX1026SVR0016:  CAT II) The SA will ensure files are checked on the Mac OS X server 

for a valid owner and group on a weekly basis, and files without a valid owner or group will 

be deleted or corrected.  

(OSX1026GEN0150: CAT II) The SA will ensure that world writable files are only allowed in 

public directories, such as /tmp, /var/tmp, etc. 

20

UNCLASSIFIED