Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


Hackers, curious administrators, employers, and criminals, both industrial and government 


(friendly and antagonistic) can eavesdrop on network communications using sniffers to collect 


private and corporate information such as account names, passwords, and sensitive data.  


Communications packets also include information about destination and origination network 


addresses.  A sniffer is a program that puts a network interface into promiscuous mode.  The 


interface, when in promiscuous mode, listens to all communication packets passing through its 


network instead of just packets that contain its address. 


It is also possible to hijack unencrypted network connections.  This technique can be used to 


enter in the middle of existing connections to modify data in both directions and to insert new 


commands in sessions authenticated by one time passwords.  No security method based only on 


user I&A is safe. 


Ssh connects to sshd on the server machine.  It verifies that the server machine really is the 


machine it wanted.  Ssh then exchanges encryption keys (protected from sniffers), and performs 


authentication, RSA (Rivest, Shamir, and Adleman) authentication, or conventional password 


based authentication.  The server normally allocates a pseudo terminal and starts an interactive 


shell or user program.  Ssh will also work with X Windows. 


It is recommended that Version 3.4p1 of OpenSSH that ships with Mac OS X 10.2.4 or higher is 


used.  Ssh offers the ability to log on directly as root even when the system configuration files 


disable that feature for other access methods.  Ensure that this feature is disabled.  Ssh also 


allows the use of .rhosts.  It is not recommended that the .rhosts file is NOT used unless the 


feature is operationally necessary.   


Ssh will be disabled on all Mac OS X Workstations.  It will be done by removing the program 


from all Mac OS X Workstations using the APPENDIX C. PROCEDURES FOR BRINGING A 


MAC OS X SYSTEM INTO STIG COMPLIANCE:  Removing SSH from Mac OS X.   


    


(OSX1026SYS0010CAT II) The SA will ensure that SSH is removed from all Mac OS X 


workstations. 


4.8  Mac OS X Built in Firewall 


Using a firewall has become a common practice for keeping unwanted connections off an IS.  


Mac OS X comes with its own built in firewall, which can be used.   


    


(OSX1026SEC0020: CAT I):  The SA will ensure that all known DDoS ports and NetBIOS 


ports will be bi directionally blocked by the built in firewall.  Refer to the Desktop STIG, for 


additional firewall guidance. 


    


(OSX1026SEC0021: CAT II):  The SA will ensure that a  deny by default  posture is 


enforced on the built in firewall.  The SA will ensure that only ports or services required for 


operational use are open on the firewall and that all open ports are documented.  


 NOTE:  By default, this is the configuration when the firewall is started. 


45


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved