MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

(N/A:  CAT II) The SA will ensure the deny access permissions are 700, or more restrictive.

(OSX1026GEN0205:  CAT II) The SA will ensure access permissions for crontab files are

600, or more restrictive.

(OSX1026GEN0206:  CAT II) The SA will ensure access permissions for the cron and

crontab directories are 755, or more restrictive.

(OSX1026GEN0207:  CAT II) The SA will ensure the owner of the cron and crontab

directories is root or bin.

(OSX1026GEN0208:  CAT II) The SA will ensure the group owner of the cron and crontab

directories is root, bin, or sys.

(N/A:  CAT III) The SA will ensure cron jobs do not execute a program that sets the umask to

a value more permissive than 077 unless it is documented and justified with the IAO.

(N/A:  CAT IV) Users and the SA will ensure the command crontab  e is used to create and

edit crontabs.

(OSX1026GEN0209:  CAT II) The SA will ensure cron logging is implemented.

(OSX1026GEN0210:  CAT II) The SA will ensure cronlog access permissions are 600, or

more restrictive.

(OSX1026SVR0025:  CAT II) The SA or the IAO will review the cronlog daily.

(OSX1026GEN0210:  CAT II) The SA will ensure the cronlog owner is root and the group

owner is root, bin, or sys.

(OSX1026SVR0026:  CAT II) The SA will ensure the owner and group owner of the allow file

are root, bin, or sys.

3.11  At Access

The at utility reads commands from standard input and groups them together for deferred

execution at the times specified by the user.  Access to at will be controlled using the at.allow

and at.deny files to list authorized or unauthorized users respectively.  At uses cron for program

execution and at actions are logged, by cron, in the cron log.  Because at executes jobs with the

privileges of the user, at will not execute world writable files.  No one should be using at for jobs

on the workstation.  To do this three things need to be done.

   Create an at.allow in /var/adm/ and put NO ONE in it except for root.

   Set permissions to 700 on at.allow.

   Give at permissions of 700.

 (OSX1026SVR0024:  CAT II) The SA will ensure that at jobs are not run on Mac OS X

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved