MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

Audio and video devices that are globally accessible have proven to be another security hazard.

There is software that can activate system microphones and video devices connected to user

workstations.  Once the microphone has been activated, it is possible to eavesdrop on otherwise

private conversations without the victim being aware of it.  This action effectively changes the

user s microphone to a bugging device.  Vendor procedures normally install /dev/audio (or the

equivalent) with the device file permissions set to 666 (globally writable and therefore

vulnerable).  The SA and IAO will ensure that the access permissions for the audio device are

644, or more restrictive.  The audio device will be owned by root with a group owner of root,

bin, or sys.

(OSX1026GEN0167:  CAT II) The SA will ensure that the console device (i.e., /dev/console)

is not world readable or world writable.

(OSX1026GEN0167:  CAT II) The SA will ensure that ttyXX, ptyXX (where XX represents the

device number, such as in tty01), and other pseudo terminal devices are not world readable

or world writable when a user is using the device.

(OSX1026GEN0054:  CAT II) The SA will ensure that all device files are located in the

directory trees as installed and designated by the vendor.

(N/A:  CAT II) The SA will identify the source/owner/creator of any out of place device file

and report it to the IAO.

(OSX1026GEN0077:  CAT II) The SA will ensure that the device file directories are not

writable except by the owner or as configured by the vendor.

(N/A:  CAT II) The SA will ensure backup devices (tape and floppy disk device) of the Mac

OS X server and files are readable and writable by root unless justified and documented with

the IAO.

(OSX1026GEN0080:  CAT II) The SA will ensure the audio devices access permissions are

644, or more restrictive.

(OSX1026GEN081:  CAT II) The SA will ensure the audio devices are owned by root with a

group owner of root or sys.

3.5  Special Purpose Access Modes

Special operating characteristics may be assigned to a file or directory by the chmod command.

These special characteristics are as follow:

set user id (suid)

set group id (sgid)

set sticky bit

(OSX1026GEN0082:  CAT II) The IAO will ensure all locally developed programs

(especially those with the suid or sgid bit set) are justified and documented and have been

approved by the local CCB.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved