MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

(OSX1026GEN0092:  CAT II) The SA and IAO will ensure accounts are set up so that

inactive accounts (accounts with no activity for 35 consecutive days), and accounts that are

never used for logging into the system (such as system accounts) have /bin/false,

/usr/bin/false, or /dev/null as the default shell in the /etc/passwd file or be disabled in the

shadow or adjunct file, or equivalent.

(OSX1026GEN0192:  CAT II) The SA will ensure each account in the /etc/passwd file will

invoke an authorized shell listed in the /etc/shells or use /bin/false, /usr/bin/false, or

/dev/null.

(OSX1026GEN0064:  CAT I) The SA will ensure that no shell has the suid or sgid bit set.

(OSX1026GEN0065:  CAT II) The SA will ensure that all shells are owned by root or bin.

(OSX1026GEN0066:  CAT II) The SA will ensure that shells have access permissions of 755,

or more restrictive.

3.4.2  Device Files

A device file is a special Mac OS X file that is configured with major and minor device numbers.

Major and minor device numbers identify the device special file and its characteristics to the

Mac OS X kernel.  They provide a linkage from the user to the Mac OS X device drivers that

control peripheral and memory operations.  Device drivers reside in the kernel.  Device files

reside in special directories.  The device directory and device file access permissions, as well as

device driver major and minor number integrity, are critical to system security.  The function of a

Mac OS X device file can be changed by changing the major and/or minor numbers associated

with it.  If the device directory, device special file, or a device driver is compromised, then the

entire system could be compromised.

The console device file can be compromised to intercept root's commands or password.

Therefore, it will not be world readable or writable.  Terminal devices for other users can also be

compromised and will not be world writable when a user is logged on to it.  Device files located

outside the normal locations may indicate attempts to compromise the system.  For this reason,

the system will be scanned weekly for extraneous device files.  If extraneous device files are

located, the IAO will investigate to identify the source and take appropriate action.  The IAO will

justify and document the device file or delete it.  Backup devices present a more subtle security

hazard.  If they are world writable, a backup could be destroyed accidentally or maliciously.

Files not usually accessible to users may be accessible from a world readable and writable

backup device.  Therefore, backup devices (normally devices controlling tape drives and system

floppy disks) will not be world readable or writable unless justified and documented with the

IAO.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved