MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

The umask controls access permissions for the following three groups:

   File owner (or creator)

   Owner s default group

   Rest of the world (others)

To determine what permissions a given umask will assign to a newly created file, subtract the

umask from 777.  A umask of 022, for instance, would assign the file creator read, write, and

execute permissions.  The group and others would be assigned only read and execute

permissions.  The access permissions are read as 755.  All Mac OS X systems are fielded with a

default umask of 022.  This allows the access permissions listed above. This allows access

permissions of 755.  It is desirable to only allow access to the owner of a file, by default, and

only after explicit action by the owner (called discretionary access control [DAC]) if access is

allowed to group users, as appropriate.  To accomplish this, the system and user umask will be

set to 077, and will not be reset unless justified and documented with the IAO.  Exceptions to

this will be during software installation when the installation process demands a more permissive

value, during database access by users, and during administrative actions.  All requirements will

be justified and documented with the IAO.

(OSX1026GEN0089:  CAT II) The SA will ensure the system and user umask is 077.

(OSX1026GEN0090:  CAT II) The SA will ensure application umasks are not less restrictive

than 022.

3.7  Development Systems

Application developers often ignore security requirements in favor of development expediency.

One of the most important parts of applications today, however, is security.  Therefore,

development systems will be subject to the same security requirements as production systems.

Development systems are often connected to live networks and, because security requirements

have not been observed, jeopardize the entire network.  If network connectivity is a requirement

for development systems, they will be connected to a testing network that is completely isolated

from all other production systems and networks.  Applications will be designed to work correctly

in a secure environment.

(OSX1026DEV0001:  CAT II) The developers, the SA and the IAO will ensure systems used

for development are completely isolated from all production systems and networks, such as

through an isolated subnetwork.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved