Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


System startup files set parameters for the Kernel and start or stop applications and system 


utilities (such as daemons).  Their names and locations are dependent on the system architecture.  


There are some common system startup files, such as /etc/profile and /etc/.login, in which global 


parameters, such as PATH variables, may be set each time a user, or root, logs on.  There are 


also system default startup files that are placed in a new user s directory to get them started.  


They are normally located in /etc or /etc/skel and have names such as .profile.d, .login.d, and 


others.  In Mac OS X their are login hooks that will allow the system to run programs and 


execute tasks upon startup.  Since login and logout hooks require some functions of the root user, 


they can be configured/written to use another account instead of root, but this will limit some 


functionality.  This section will cover the basics of the startup files and to that end it will not 


cover login hooks.  However, if the use of login hooks should become widespread a section will 


be added to cover them in a future version of this document. 


Startup files normally refer to the files in, and subordinate to, /etc that begin with the letters  rc  


or reside in a directory such as rc0.d, rc1.d, and so on.  The number relates to the run state at 


which they are invoked.  The startup files are linked between the directories.  One startup file 


may appear five times with different names.  System startup files may also be located in 


/etc/init.d and /sbin/init.d, as well as /sbin/rc*.d. 


System startup files will not execute programs that are world writable and will only execute 


programs owned by a privileged uid or an application owner.  Additionally, since executing the 


command mesg  y opens up the user terminal to writing by all users, the mesg  y command will 


not be executed by a startup file. 


    


(N/A:  CAT II) The SA will ensure that system startup files are owned by root. 


    


(OSX1026GEN0102:  CAT II) The SA will ensure that system startup files have a group 


owner of bin, sys, or the system default. 


    


(OSX1026GEN0058:  CAT II) The SA will ensure that access permissions for system startup 


files are 755, or more restrictive.   


NOTE: This requirement will not apply to symbolic links, which may be 777 (lrwxrwxrwx). 


    


(OSX1026GEN0058:  CAT II) The SA will ensure that system startup files do not contain  . , 


 ::  (or a  :  as the last entry) in the PATH variable. 


    


(OSX1026GEN0058:  CAT II) The SA will ensure that system startup files do not have the 


suid bit set. 


    


(OSX1026GEN0058:  CAT II) The SA will ensure that system startup files do not have the 


sgid bit set. 


    


(OSX1026GEN0059:  CAT II) The SA will ensure that world writable programs are not 


executed by system startup files.   


NOTE: This includes executing programs via Login Hooks and via the system startup files in the 


System directory. 


24


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved