Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

 (OSX1026GEN0093:  CAT II) The SA will ensure that audit files have permissions of 640, or 

more restrictive. 

(OSX1026GEN0093:  CAT II) The SA will ensure that all audit files and directories are 

readable only by personnel authorized by the IAO. 

(OSX1026SVR0017:  CAT II) The SA will review Mac OS X server audit files daily for 

anomalies.    

(OSX1026SVR0018:  CAT III) The IAO will ensure audit files are retained at least one year.   

(OSX1026SVR0019:  CAT II) The SA will ensure that for all users, including root, the audit 

system are configured to audit at least the following events: 

   Logon (unsuccessful and successful) and logout (successful) 

   Unauthorized access attempts to files (unsuccessful) 

   Use of privileged commands (unsuccessful and successful) 

   Application and session initiation (unsuccessful and successful) 

   Discretionary access control permission modification (unsuccessful and successful use of 

chown/chmod) 

System startup and shutdown (unsuccessful and successful)

   All system administration actions 

   All security personnel actions 

(OSX1026SVR0020:  CAT I) The IAO will ensure the auditing software is able to record the 

following for each audit event: 

   Date and time of the event 

   Userid that initiated the event 

   Type of event 

   Success or failure of the event 

   For I&A events, the origin of the request (e.g., terminal ID) 

For events that introduce an object into a user's address space, and for object deletion 

events, the name of the object, and in MLS systems, the object's security level

   Root and other administrative actions 

32

UNCLASSIFIED