Apr 2, 2021 Miscellaneous- Audit deprecated.
- Metadata updated.
|
Oct 5, 2020 Functional Update- GEN000800 M6 - The system must prohibit the reuse of passwords to 15 iterations - 'Local usingHistory = 15'
- GEN000800 M6 - The system must prohibit the reuse of passwords to 15 iterations - 'Managed usingHistory = 15'
- GEN001375 M6 - For systems using DNS resolution, at least two name servers must be configured - 'first name server is configured'
- GEN001375 M6 - For systems using DNS resolution, at least two name servers must be configured - 'second name server is configured'
- GEN005505 M6 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers - 'CIPHERS configured'
- GEN005505 M6 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers - 'CIPHERS does not include ARCFOUR/BLOWFISH/CAST'
- GEN005506 M6 - The SSH daemon must be configured to not use CBC ciphers - 'CIPHERS configured'
- GEN005506 M6 - The SSH daemon must be configured to not use CBC ciphers - 'CIPHERS does not include -CBC'
- GEN005507 M6 - SSH MACs must use FIPS 140-2 approved algorithms - 'MACS doesn't include HMAC-MD5/HMAC-RIPEMD160/HMAC-SHA1-96/HMAC-MD5-96'
- GEN005507 M6 - SSH Server MACs use FIPS 140-2 approved algorithms - 'MACS doesn't include HMAC-MD5/HMAC-RIPEMD160/HMAC-SHA1-96/HMAC-MD5-96'
- GEN005510 M6 - The SSH client must be configured to only use FIPS 140-2 approved ciphers - 'CIPHERS configured'
- GEN005510 M6 - The SSH client must be configured to only use FIPS 140-2 approved ciphers - 'CIPHERS does not include ARCFOUR/BLOWFISH/CAST'
- GEN005511 M6 - The SSH client must be configured to not use CBC-based ciphers - 'CIPHERS configured'
- GEN005511 M6 - The SSH client must be configured to not use CBC-based ciphers - 'CIPHERS does not include -CBC'
- GEN005512 M6 - SSH client MACs use FIPS 140-2 approved algorithms - 'MACS configured'
- GEN005512 M6 - SSH client MACs use FIPS 140-2 approved algorithms - 'MACS doesn't include HMAC-MD5/HMAC-RIPEMD160/HMAC-SHA1-96/HMAC-MD5-96'
- OSX00020 M6 - A maximum password age must be set - 'Local maxMinutesUntilChangePassword >= 86400 or 0'
- OSX00020 M6 - A maximum password age must be set - 'Managed maxMinutesUntilChangePassword >= 86400 or 0'
- OSX00030 M6 - A minimum password length must be set - 'Local minChars >= 15'
- OSX00030 M6 - A minimum password length must be set - 'Managed minChars >= 15'
- OSX00036 M6 - Complex passwords must contain Alphabetic Character - 'Local requiresAlpha = 1'
- OSX00036 M6 - Complex passwords must contain Alphabetic Character - 'Managed requiresAlpha = 1'
- OSX00038 M6 - Complex passwords must contain a Symbolic Character - 'Local requiresSymbol = 1'
- OSX00038 M6 - Complex passwords must contain a Symbolic Character - 'Managed requiresSymbol = 1'
- OSX00040 M6 - Newly created password content must be checked - 'Local passwordCannotBeName = 1'
- OSX00040 M6 - Newly created password content must be checked - 'Managed passwordCannotBeName = 1'
- OSX00045 M6 - Account lockout duration must be properly configured - 'Local minutesUntilFailedLoginReset = 0'
- OSX00045 M6 - Account lockout duration must be properly configured - 'Managed minutesUntilFailedLoginReset = 0'
- OSX00050 M6 - Account lockout threshold must be properly configured - 'Local maxFailedLoginAttempts <= 3'
- OSX00050 M6 - Account lockout threshold must be properly configured - 'Managed maxFailedLoginAttempts <= 3'
- OSX00115 M6 - LDAPv3 access must be securely configured (if it is used)
- OSX00120 M6 - Clear text passwords for all LDAPv3 directories must be disabled
- OSX00120 M6 - LDAP Authentication must use authentication when connecting to LDAPv3
- OSX00120 M6 - LDAPv3 access must be securely configured (if it is used)
- OSX00121 M6 - Clear text passwords for all LDAPv3 directories must be disabled
- OSX00121 M6 - Clear text passwords for all LDAPv3 directories must be disabled - No ClearText Authentications = 1
- OSX00122 M6 - All LDAPv3 packets must be digitally signed
- OSX00122 M6 - All LDAPv3 packets must be digitally signed - Packet Signing = 1
- OSX00123 M6 - All LDAPv3 packets must be encrypted
- OSX00123 M6 - All LDAPv3 packets must be encrypted - Packet Encryption = 1
- OSX00124 M6 - LDAPv3 must block man-in-the-middle attacks
- OSX00124 M6 - LDAPv3 must block man-in-the-middle attacks - Man in the Middle = 1
- OSX00475 M6 - Screen Sharing must be disabled - 'OSX <= 10.6.2 /Library/Preferences/com.apple.ScreenSharing.launchd does not exist'
- OSX00475 M6 - Screen Sharing must be disabled - 'OSX >= 10.6.3 /private/etc/ScreenSharing.launchd does not exist'
- OSX00530 M6 - iTunes Store must be disabled - 'Ping is disabled'
|
Sep 29, 2020 |
Jul 28, 2020 Functional Update- GEN001160 M6 - All files and directories must have a valid owner
- GEN001170 M6 - All files and directories must have a valid group owner
|
Jul 14, 2020 |
Apr 22, 2020 |
Mar 12, 2019 Functional Update- OSX00105 M6 - Access warning for the command line must be present - 'LoginwindowText is configured'
|
Feb 8, 2019 Miscellaneous- Metadata updated.
- References updated.
|
Dec 14, 2018 |
Jul 24, 2018 Functional Update- OSX00530 M6 - iTunes Store must be disabled - 'Ping is disabled'
Informational Update- GEN001680 M6 - All system start-up files must be group-owned by root, sys, bin, other, or system
- GEN006000 M6 - The system must not have a public Instant Messaging (IM) client installed
- GEN006040 M6 - The system must not have any peer-to-peer file-sharing application installed
- GEN008540 M6 - The system's local firewall must implement a deny-all, allow-by-exception policy
- OSX00010 M6 - Unnecessary packages must not be installed
- OSX00015 M6 - Administrator accounts must be created with difficult-to-guess names
- OSX00160 M6 - An antivirus tool must be installed
- OSX00200 M6 - The ability for administrative accounts to unlock screen saver must be disabled
- OSX00400 M6 - System Preferences must be securely configured so IPv6 is turned off if not being used
- OSX00525 M6 - Mail must be configured using SSL
- OSX00540 M6 - iDisk must be removed from Finder sidebar
- OSX00660 M6 - Physical security of the system must meet DoD requirements
- OSX00665 M6 - Shared User Accounts must be disabled
- OSX00675 M6 - System Recovery Backup procedures must be configured to comply with DoD requirements
- OSX00685 M6 - An Emergency Administrator Account must be created
- OSX00690 M6 - Default and Emergency Administrator passwords must be changed when necessary
- OSX00695 M6 - Service account passwords must be changed annually or when a system administrator with knowledge of the password leaves
- OSX00700 M6 - Automatic Screen Saver initiation must be enabled when smart card is removed from machine
- OSX00705 M6 - Spotlight Panel must be securely configured
Miscellaneous- Metadata updated.
- Platform check updated.
- References updated.
Added- DISA_STIG_MacOSX_10.6_v1r3.audit
|
