Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

(OSX1026SVR0034:  CAT II) The SA will ensure access permissions of the at.deny file are 

700, or more restrictive. 

(OSX1026SVR0035:  CAT II) The SA will ensure access permissions for the  at  (or 

equivalent) directory are 755, or more restrictive. 

(OSX1026SVR0036:  CAT II) The SA will ensure the owner and group owner of the  at (or 

equivalent) directory is root, bin, or sys. 

(OSX1026SVR0037:  CAT II) The SA will ensure  at  jobs do not use a umask less 

restrictive than 077. 

(OSX1026SVR0038:  CAT III) The SA will ensure  at  jobs do not execute a program that 

sets the umask to a value more permissive than 077 unless it is documented and justified by 

the IAO. 

(OSX1026SVR0039:  CAT II) The SA will ensure default accounts do not appear in the 

at.allow file. 

(OSX1026SVR0040:  CAT II) The SA will ensure programs executed via  at  are not world 

or group writable. 

(OSX1026SVR0041:  CAT II) The SA will ensure programs executed by  at  are writable 

only root, the user, or the application. 

(OSX1026SVR0042:  CAT II) The SA will ensure programs executed by  at  are not in a 

directory tree where one or more directories, in the tree, are world writable. 

(OSX1026SVR0043:  CAT II) The SA will ensure the owner and group owner of the at.allow 

file are root, bin, or sys. 

37

UNCLASSIFIED