Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


/bin.  Assume the user was in the /tmp directory (the current directory) when attempting to 


execute the ls command.  Assume a malicious user created an executable program in /tmp named 


ls.  Assume the ls program in /tmp executes a command to delete all of the user's files.  If the 


user typed ls and the kernel did not find it in /bin, it would search the current directory, execute 


the malicious ls, and destroy all of the user's files.  For this reason, it is preferable to never have 


a  .  in the PATH variable.  Since it would be more disastrous if the above scenario happened to 


root, root will never have a  .  in the PATH variable.  Use an editor such as vi to change the 


PATH variable to remove the  . .  The PATH variable above would become the following after 


editing: 


PATH=/bin:/usr/bin:/oracle/bin:/usr/local/bin 


Ensure that system and user startup files are not executable by others and do not have the suid or 


sgid bits set that could allow a malicious user to gain expanded privileges.  Help protect against 


implementing Trojan horses by ensuring that system and user startup files do not execute world 


writable programs or scripts.  Root s startup files are startup files in root s home directory that 


serve the same purpose for root as other user startup files do for users.  Finally, startup files will 


not execute the mesg  y command that would make their terminal devices world writable and 


open for possible exploitation. 


    


(OSX1026GEN0056:  CAT II) The SA will ensure that user startup files are owned by the 


user or root. 


    


(OSX1026GEN0056:  CAT II) The SA will ensure that user startup files have permissions of 


740, or more restrictive. 


    


(OSX1026GEN0056:  CAT II) The SA will ensure that user startup files do not have a  .  or 


a  ::  in the PATH variable definition except as the last entry. 


    


(OSX1026GEN0056:  CAT II) The SA will ensure that user startup files do not have the suid 


bit set. 


    


(OSX1026GEN0056:  CAT II) The SA will ensure that user startup files do not have the sgid 


bit set. 


    


(N/A:  CAT II) The SA will ensure that user startup files do not execute world writable 


programs. 


    


(OSX1026GEN0057:  CAT II) The SA will ensure that user startup files do not contain the 


command mesg  y. 


3.4.1.2.2  System Startup Files 


System startup files are scripts executed by the system and/or kernel when the system is booted.  


They are also executed (with a different argument such as stop) when the system is shut down in 


an orderly manner.  They may also be executed by root at any time.  The numbers associated 


with the rc directory name relate to the run state at which the system executes the startup files.  


Files in rc2.d, for instance, would only be executed when the system is going into run state 2.  


23


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved