MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

workstations.

3.11.1  Access Controls

Access to the use of at facilities will be authorized and documented with the IAO.  At uses a file

called at.allow, populated by the SA, to determine which users are allowed to create at jobs.  It

uses a file called at.deny, also populated by the SA, to determine which users are specifically

denied use of the at facilities.  Users specifically allowed to use at appear in the at.allow file.

Users specifically denied access appear in the at.deny file.  If neither at.allow nor at.deny exists,

then root is the only user allowed access to use at.  However, if only an empty at.deny file exists,

then anyone may use at.  The at.allow file may exist without the at.deny file.  The at.deny file

may exist without the at.allow file, but may not be empty.  Users not listed in the at.allow file, if

it exists, will not be allowed access to at.  To control access to at, an empty at.deny file will not

exist if there is no at.allow file that lists authorized users.

3.11.2  Access Permissions and Owners

The access permissions for the at.allow and at.deny files will be 700.  The owner will be any

privileged system user such as root, bin, or sys.  The group owner will be root, bin, or sys.

Access permissions for the at (or equivalent) directory will be 755 or more restrictive.

3.11.3  At on Mac OS X Server

The at.allow and at.deny files, if they exist, are usually located in /var/cron/.  Executing the

command  man crontab  will usually give information on the location of the allow and deny

files.

(OSX1026SVR0027:  CAT II) The SA will be responsible for ensuring jobs initiated by the

 at  utility do not execute world or group writable programs.

(OSX1026SVR0028:  CAT II) The SA will ensure access to  at  is controlled via the at.allow

or at.deny file.

(OSX1026SVR0029:  CAT II) The SA will ensure  at  job entries do not execute programs in

or subordinate to world writable directories.

(OSX1026SVR0030:  CAT III) The IAO will authorize and document all users allowed to use

 at .

(OSX1026SVR0031:  CAT II) The SA will ensure every system has either an at.allow or an

at.deny file.

(OSX1026SVR0032:  CAT II) The SA will ensure neither the at.allow nor the at.deny files are

empty.

(OSX1026SVR0033:  CAT II) The SA will ensure access permissions of the at.allow file are

700, or more restrictive.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved