MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

(OSX1026GEN0083:  CAT II) The IAO will document any changes made to the location or

permissions on any file having the suid or sgid bit set.

(OSX1026GEN0084:  CAT II) The SA will ensure a suid files baseline backup is maintained

for weekly comparison with the online suid files.

(OSX1026GEN0085:  CAT II) The SA will ensure a sgid files baseline backup is maintained

for weekly comparison with the online sgid files

(N/A: CAT II) The IAO will investigate any discrepancies when comparing suid and sgid files

baseline backups with the appropriate online files.

3.5.1  Set User ID (suid)

Authorized, vendor supplied suid programs are crucial to the correct operation of the Mac OS X

operating system, but unauthorized suid programs present a security hazard.  When the suid

attribute is set on the access permissions of a program, a user executing the program has the

same privileges as the owner of the program.  If the owner of the program is root, then the user,

while executing that program, has all the powers of root, at least for the scope of the program

being executed.  It is extremely important; therefore, that any program that has the suid bit set is

of known origin and scope.

Refer to the specific vendor's Mac OS X documentation for details concerning suid programs.

Commercial and Government supplied applications may also contain programs with the suid bit

set.

If so, the vendor/proponent instructions must be followed.  Where possible, require

vendor/proponent integrity statements that guarantee there are no back doors, such as shell

escapes, built into the applications.

The following command may be invoked to find all suid programs on a system and produce a

listing of the owner and other pertinent information.

find /  type f  perm  4000  exec ls  ld {} \;

If a mounted filesystem has any suid executable scripts or programs, a user who invokes the

executable takes on the uid of the executable's owner.  The owner of such suid executables is

typically a privileged user, usually root.  If a filesystem is exported, a remote user, who may be

normal or privileged, may execute an suid file and alter files mounted, but not exported, on the

exporting host system.  This is a serious vulnerability, which must be managed with the mount

command options.

(OSX1026GEN0086:  CAT II) The SA will ensure user filesystems, removable media, or

remote filesystems are mounted with the nosuid option invoked.

3.5.2  Set Group ID (sgid)

Authorized, vendor supplied sgid programs are crucial to the correct operation of the Mac OS X

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved