MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

4.1  Network Services Descriptions

The following descriptions are not intended to endorse the use of the services described.  They

are merely to familiarize the reader with the purpose of the service.

4.1.1 Apache

The Apache web server comes as a factory install on Macs running OS X.  This program is used

to serve web content off a server/workstation.  For all Mac workstations the Apache program

will need to be deleted.  Referencing: APPENDIX C.  PROCEDURES FOR BRINGING A MAC

OS X SYSTEM INTO STIG COMPLIANCE in the section: Removing Apache from OS can assist

in deleting this program.  If you are running Mac OS X server then you will want to refer to the

Web Server STIG to ensure that you are creating a safe Apache running environment.

(OSX1026SVR0046:  CAT II):  The SA will ensure that the Apache Web Server is removed on

all Mac OS X workstations and on Servers that do not need web hosting services running.

4.1.2  Rlogin and rsh

The rlogin and rlogind programs provide remote terminal service similar to telnet and telnetd.

The client program is rlogin, and the server program is rlogind.  The important difference

between rlogin and telnet is that if the rlogin connection is coming from a trusted host or a

trusted user (meaning .rhosts and/or hosts.equiv is properly configured), no password is required.

On a Mac OS X workstation rlogind and rlogin will both be given permissions of 000 so they can

stay on the system but not usable by anyone but root which is disabled by virtue of the account

portion of this STIG.

(OSX1026SVR0047:  CAT II):  The SA will ensure that rlogind and rlogin are given

permissions of 000 on Mac OS X workstations and Servers that do not need remote services

running.

Secure shell provides a functional alternative to the typical requirements for rlogin and rsh.

4.1.3  Rexec Command

The remote command execution daemon, rexecd, allows users to use rsh or remsh to execute

commands on other systems.  A password may or may not be required depending on the use of

.rhosts and/or hosts.equiv.  Unlike login and telnet, rexecd returns different error messages for

invalid accounts and passwords.  If an invalid username is supplied the error message returned is

login incorrect.  If an invalid password is supplied, it returns password incorrect.  This allows a

potential unauthorized user to probe the system to find a valid user account name and then to

work on the password.  Therefore, if rexecd is required, it will be justified and documented with

the IAO.  This will have a permissions set of 000 on all Mac OS X workstations.

(OSX1026SVR0048:  CAT II):  The SA will ensure that rexecd has permissions of 000 on all

Mac OS X workstations.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved