MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

The crontab files will be created with the same name as the creator of the file.  A crontab entry,

or any program executed by the crontab entry, will not relax the system umask unless the

requirement has been justified with, approved by, and documented with the IAO.  A crontab

entry will not execute locally developed suid or sgid programs unless they have been approved

by the local Config Control Board (CCB) and documented with the IAO.  Exceptions include

programs supplied with the operating system.  Default accounts (with the possible exception of

root) will not be listed in the allow file.  If there is only a deny file, the default accounts (with the

possible exception of root) will be listed there (the size cannot be zero).

(OSX1026SVR0023:  CAT II):  The IAO will ensure a crontab entry is not executing locally

developed suid or sgid programs unless they have been approved by the local Configuration

Control Board (CCB) and documented with the IAO.

Users will use the crontab  e command to create or edit all Cron jobs associated with their

account name.  This utility provides file locking to prevent multiple users from editing the same

file at the same time and notifies the Cron daemon when crontabs have changed so the Cron

daemon knows to reread the crontabs.  It should also provide the correct access permissions to

the crontab.

Cron has the capability to log its actions, and their success or failure, to a log file called cronlog.

This is a configuration item for all systems.  The SA and IAO will ensure the system is

configured to log all Cron actions.  The SA will also ensure the cronlog access permissions are

set to 600, or more restrictive.

3.10.4  Locations

The cronlog will be created  in /var/cron/log.  The allow and deny files are located in /var/cron.

(OSX1026GEN0203:  CAT II) The SA will ensure crontab entries do not execute group or

world writable programs.

(OSX1026GEN0200:  CAT II) The SA will control access to the cron utilities via the allow or

the deny file.

(OSX1026GEN0204:  CAT II) The SA will ensure crontab entries do not execute programs

located in, or subordinate to, world writable directories.

(N/A:  CAT II) The IAO will authorize and document all users who are allowed to create

crontabs.

(OSX1026GEN0200:  CAT II) The SA will ensure every system has either a allow file or a

deny file.

(OSX1026GEN0200:  CAT II) The SA will ensure no allow or deny file has a size of zero.

(OSX1026GEN0201:  CAT II) The SA will ensure the allow file access permissions are 700,

or more restrictive.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved