Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

located on remote servers and users can access and change the data without logging on to the 

server.  This would appear to defeat the I&A requirements.  This is also true for remote 

databases.  If access to files is properly restricted, however, file security can be greatly enhanced. 

Several steps are required to secure NFS against most forms of unauthorized access.  The file 

(either /etc/exports or /etc/dfs/sharetab) that indicates which filesystems the server exports and 

the level of access assigned to clients of those filesystems will be protected against unauthorized 

modification.  Exported/shared system files will be owned by root and will not be world or group 

writable.  Filesystems exported as other than read only will be documented with the IAO.  These 

steps prevent sensitive system files from being modified or replaced. 

Several options must be enabled in the NFS server file export configuration file (/etc/exports, for 

instance).  The anon option should be set to disallow access from client requests that do not 

include a userid.  The access option grants filesystem access only to those hosts or netgroups 

listed with the option.  The secure option is used if secure RPC is enabled on the system (true if 

NIS+ is enabled on the system).  This allows NFS to use DES (Data Encryption Standard) for 

encrypting the authentication session between the server and client.  The root option overrides 

the default userid mapping of root access in NFS, and will not be used unless authorized and 

documented with the IAO.  NFS clients will use the nosuid and nosgid options to mount 

filesystems from a server to prevent setuid and setguid executables of dubious origin from 

gaining root access on the client system.  Port monitoring causes NFS requests that do not come 

from privileged ports to be rejected.  Port monitoring will be enabled. 

Because NFS presents such a target of opportunity for attackers, the NFS daemons will not be 

allowed to run unless NFS is actually being used. 

(OSX1026GEN0178:  CAT II) The SA will ensure that the /etc/exports (or the equivalent) file 

is owned by root and have permissions of 644, or more restrictive. 

(OSX1026GEN0181:  CAT II) The SA will ensure that exported system files and directories 

are owned by root. 

(OSX1026GEN0180:  CAT II) The SA will ensure that file systems are exported as read only 

unless an operational requirement warrants otherwise. 

(OSX1026GEN0180:  CAT II) The SA will ensure that file systems containing system 

executables used by the local host are exported as read only. 

(OSX1026GEN0180:  CAT II) The SA will ensure that any file systems that must be exported 

with permissions other than read only are documented. 

(OSX1026GEN0182:  CAT II) The SA will ensure that the anon option in the /etc/exports file 

is set to anon=65535, 60001, or anon= 1. 

(OSX1026GEN0183:  CAT II) The SA will ensure that the access and secure options are used 

for all entries in /etc/exports, /etc/dfs/dfstab, or the equivalent file, where available. 

(OSX1026GEN0185:  CAT II) The SA and IAO will ensure that root access options are not 

47

UNCLASSIFIED