├── COPYRIGHT_NOTICE ├── README ├── bin ├── part1.sh ├── part2.sh └── part3.sh └── script.sh /COPYRIGHT_NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2011, Jacqueline SIngh
All rights reserved. 2 | 3 | 4 | BSD 3-Clause License 5 | 6 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | 8 | • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | 10 | • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | 12 | • Neither the name of the nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 15 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | # 2 | # Note: If you were sent here by Apple's federal team welcome. If you have problems with this, I may be able to help, depending on my schedule. 3 | # Post an issue for bugs, or email me directly. 4 | # 5 | # OS X 10.6 Audit/Remediation Script Package 6 | # Based on DISA Mac OS X 10.6 STIG Draft, Version 1, Release .01, 18 Aug 2011 7 | # 2011, Jackie Singh 8 | # 9 | 10 | Instructions: 11 | 12 | 1. Login to Mac OS X machine you wish to check/remediate for STIG compliance; 13 | 14 | 2. Copy the entire "OSX-10.6-SRR-Basic" folder to your Desktop; 15 | 16 | 3. Recommend you quickly review/skim over the below tech tips; 17 | 18 | 4. Run the "Terminal" application (It is in the Applications/Utilities folder); 19 | 20 | 5. Enter the following commands (verbatim) in the Terminal window: 21 | 3a) sudo su 22 | 3b) cd "/Users/$SUDO_USER/Desktop/OSX-10.6-SRR" 23 | 3c) mkdir logs-$HOSTNAME 24 | 3d) chmod +x script.sh bin/part1.sh bin/part2.sh bin/part3.sh 25 | 3e) TODAYSDATE=`date +%d-%b-%Y.%H%M` 26 | 3f) system_profiler > logs-$HOSTNAME/system_profiler_$TODAYSDATE.log 27 | 3g) ./script.sh 2>&1 | tee logs-$HOSTNAME/script.$TODAYSDATE.log 28 | 29 | 30 | ------------------------------------------------------ 31 | [PREREQ] Recovery 32 | ------------------------------------------------------ 33 | Recommend installing 'applejack' (http://applejack.sourceforge.net), to ensure you have an easy way to fix problems in single user mode, should they occur (they will most likely occur). You can enter single-user mode by holding down 'command key + s' on boot. 34 | 35 | ------------------------------------------------------ 36 | [TECH TIP] Sudo setuid bit 37 | ------------------------------------------------------ 38 | If you mess up and can't sudo to root anymore, run 'applejack' in single-user mode. WARNING: If you run 'applejack' without booting into single-user mode, you could bork the entire system! 39 | 40 | ------------------------------------------------------ 41 | [IAVA PREREQ] MacPorts and XCode 42 | ------------------------------------------------------ 43 | For IAVA compliance, you will need to install MacPorts to upgrade (at a minimum) OpenSSL (openssl version; port install openssl) and PHP (php -v; port install php5). To install MacPorts, you will need XCode first, which is available on the OS X Install DVD (OEM). You can also download the .dmg (disk image) from Apple. 44 | 45 | ------------------------------------------------------ 46 | [IAVA PREREQ] Retina 47 | ------------------------------------------------------ 48 | To scan with Retina, you will need to enable the SSH daemon (SSHD) in "System Preferences" --> Sharing (disable when complete); you must add an entry for the Retina server in /etc/hosts; and ensure you turn off the firewall before scanning and re-enable when complete. 49 | 50 | ------------------------------------------------------ 51 | [TECH TIP] Software utilities you might need 52 | ------------------------------------------------------ 53 | 1. BatChmod; 54 | 2. MacPorts; 55 | 3. AppleJack (mentioned above); 56 | 4. Disk Inventory X. 57 | 58 | Google them. 59 | 60 | ------------------------------------------------------ 61 | [TECH TIP] IAVA Updates 62 | ------------------------------------------------------ 63 | 1. Update all system software; 64 | 2. Update approved third-party software; 65 | 3. Ensure Adobe products such as flash and Acrobat Reader/Pro are upgraded. 66 | 67 | ------------------------------------------------------ 68 | [TECH TIP] Logging 69 | ------------------------------------------------------ 70 | Your logs will not be overwritten, even if you have to ctrl+c/break out of the script. Each will be date/time stamped for your review and will be available in the logs/ directory. However be advised they may become very large if the script hangs and you must forcefully kill terminal, and the child process continues to output error data. 71 | 72 | ------------------------------------------------------ 73 | [TECH TIP] Script Sequence 74 | ------------------------------------------------------ 75 | The script is split into three parts (part1, part2, part3). The main script.sh will take you through all three in sequence, although you may wish to run them individually. 76 | 77 | ------------------------------------------------------ 78 | [TECH TIP] Using 'locate' instead of 'find' 79 | ------------------------------------------------------ 80 | Run this command to update the "locate" database (optional) launchctl load -w /System/Library/LaunchDaemons/com.apple.locate.plist 81 | 82 | ------------------------------------------------------ 83 | [TECH TIP] Kext Cache 84 | ------------------------------------------------------ 85 | This command will rebuild the extension cache (in case something breaks) kextcache -m Extensions.mkext -z /System/Library/Extensions 86 | 87 | ------------------------------------------------------ 88 | [TECH TIP] Disable internal mic 89 | ------------------------------------------------------ 90 | Disable the internal microphone by reducing the input volume to 0 91 | * Launch System Preferences 92 | * Click on "Sound" 93 | * Click on the "Input" tab 94 | * Drag the "Input volume" slider all the way to the left, as seen in the above screenshot 95 | * Close System Preferences 96 | 97 | Disable the internal microphone by selecting a different audio input 98 | * Launch the System Preferences 99 | * Click on "Sound" 100 | * Click on the "Input" tab 101 | * Select "Line-in" 102 | * Close System Preferences 103 | 104 | Additionally recommend vinyl label tape over microphone with text stating: 105 | "Microphone Disabled per IA; POC: J6 Information Assurance DSN:" 106 | 107 | ------------------------------------------------------ 108 | [TECH TIP] Disable internal camera 109 | ------------------------------------------------------ 110 | To disable: mv /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/_VDC 111 | 112 | To enable: mv /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/_VDC /System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC 113 | 114 | Additionally recommend vinyl label tape over camera with text stating: 115 | "Camera Disabled per IA; POC: J6 Information Assurance DSN:" 116 | 117 | ------------------------------------------------------ 118 | [TECH TIP] Accounts 119 | ------------------------------------------------------ 120 | 1. Add user xAdministrator, set password to meet system reqs 121 | 2. Ensure "xAdministrator" user has administrative privilege 122 | 3. Add password to user "user account" set password to meet system reqs 123 | 4. Downgrade "user account" account to have standard, non-administrative privilege 124 | 5. Ensure "Guest" account is disabled and no other accounts exist on the workstation (confirm with unit prior to deletion to ensure no data loss) 125 | 126 | 1. System Preferences --> Security --> General 127 | 2. Disable Automatic Login should be on 128 | 3. Require password to unlock System Prefs pane should be on 129 | 4. Disable location services should be on 130 | 5. Require password "immediately" after sleep or screen saver begins 131 | 6. Enable secure virtual memory. 132 | 133 | ------------------------------------------------------ 134 | [TECH TIP] Firewall 135 | ------------------------------------------------------ 136 | 1. System Preferences --> Security --> Firewall 137 | 2. Enable/start the firewall, and block all incoming connections except required. 138 | 139 | ------------------------------------------------------ 140 | [TECH TIP] Disable access to System Preferences 141 | ------------------------------------------------------ 142 | 1. Disable access: sudo chmod 700 /Applications/System\ Preferences.app 143 | 2. Enable access: sudo chmod 774 /Applications/System\ Preferences.app 144 | 145 | ------------------------------------------------------ 146 | [TECH TIP] Background, Login Background, & Screen Saver 147 | ------------------------------------------------------ 148 | 1. Create folder in xAdministrator Documents folder titled "DONOTDELETE" 149 | 2. Copy YourUnitBackground.jpg to "DONOTDELETE" 150 | 3. Set YourUnitBackground.jpg as desktop background 151 | 4. Set screen saver to choose from "DONODELETE" folder 152 | 5. Change login background: 153 | 5a. cd /System/Library/CoreServices 154 | 5b. mv DefaultDesktop.jpg DefaultDesktop_old.jpg 155 | 5c. cp /Users/xadministrator/Documents/DONOTDELETE/YourUnitBackground.jpg DefaultDesktop.jpg 156 | 157 | ------------------------------------------------------ 158 | [TECH TIP] Keychain 159 | ------------------------------------------------------ 160 | 1. In First Aid tab, ensure "set login keychain as default" is deselected 161 | 2. In First Aid tab, ensure "keep login keychain unlocked" is deselected 162 | 3. In Certificates tab, ensure OCSP and CRL are set to "best attempt" 163 | 4. Priority should be set to "OCSP" 164 | 165 | 166 | ---Happy Auditing/Remediating! 167 | -------------------------------------------------------------------------------- /bin/part2.sh: -------------------------------------------------------------------------------- 1 | # PART 2 BEGIN 2 | 3 | function press_enter 4 | { 5 | echo "" 6 | echo -n "Press Return to continue" 7 | read 8 | } 9 | 10 | function exit_status 11 | { 12 | export OUT=$? 13 | if [ $OUT -eq 0 ]; then 14 | echo "[OK] Exit status was $OUT" 15 | else 16 | echo "[ERROR] Something might have gone wrong. Exit status was $OUT" 17 | fi 18 | } 19 | 20 | TODAYSDATE=`date +%d-%b-%Y.%H%M` 21 | 22 | echo "" 23 | echo "--------------------------------------------------------" 24 | echo "Let's work on the semi-automated tasks next." 25 | echo "You'll need to do a little more work on these." 26 | echo "Recommend you fire up a new terminal window to prepare." 27 | echo "" 28 | read -p "If you're ready to continue, hit 'Return'." 29 | echo "--------------------------------------------------------" 30 | echo "" 31 | 32 | 33 | echo "---------------------------" 34 | echo "[STIG ID] SV-38520r1_rule" 35 | echo "---------------------------" 36 | echo "" 37 | echo "[CHECK] Security auditing must be enabled." 38 | echo "[FIX] Verify the following line exists: AUDIT=-YES- If the value is not YES, this is a finding. Cancel out of file without saving." 39 | echo "" 40 | echo "Enter 0 to skip this STIG and continue to the next." 41 | echo "Enter 1 to run the CHECK." 42 | echo "Enter 2 to run the FIX." 43 | echo "Enter 3 to exit this script." 44 | selection= 45 | until [ "$selection" = "0" ]; do 46 | echo "" 47 | echo -n "Enter your selection: " 48 | echo "" 49 | read selection 50 | case $selection in 51 | 1 ) cat /etc/hostconfig | grep AUDIT ;; 52 | 2 ) echo "AUDIT=YES-" >> /etc/hostconfig ; exit_status ;; 53 | 3 ) exit ;; 54 | esac 55 | done 56 | 57 | echo "---------------------------" 58 | echo "[STIG ID] SV-38766r1_rule" 59 | echo "---------------------------" 60 | echo "" 61 | echo "[CHECK] For systems using DNS resolution, at least two name servers must be configured." 62 | echo "" 63 | echo "Enter 0 to skip this STIG and continue to the next." 64 | echo "Enter 1 to run the CHECK." 65 | echo "Enter 2 to find out how to execute the FIX." 66 | echo "Enter 3 to exit this script." 67 | selection= 68 | until [ "$selection" = "0" ]; do 69 | echo "" 70 | echo -n "Enter your selection: " 71 | echo "" 72 | read selection 73 | case $selection in 74 | 1 ) cat /etc/resolv.conf | grep nameserver ; exit_status ;; 75 | 2 ) echo "[FIX] If less than two lines are returned that are not commented out, this is a finding. Edit the /etc/resolv.conf and add additional 'nameserver' lines until at least two are present." ; press_enter ;; 76 | 3 ) exit ;; 77 | 78 | esac 79 | done 80 | 81 | echo "---------------------------" 82 | echo "[STIG ID]: SV-37848r1_rule" 83 | echo "---------------------------" 84 | echo "" 85 | echo "[CHECK] If an account has a UID of "0", it has root authority." 86 | echo "" 87 | echo "Enter 0 to skip this STIG and continue to the next." 88 | echo "Enter 1 to run the CHECK." 89 | echo "Enter 2 to find out how to execute the FIX." 90 | echo "Enter 3 to exit this script." 91 | selection= 92 | until [ "$selection" = "0" ]; do 93 | echo "" 94 | echo -n "Enter your selection: " 95 | echo "" 96 | read selection 97 | case $selection in 98 | 1 ) grep :0 /etc/passwd ; exit_status ;; 99 | 2 ) echo "[FIX] Edit /etc/passwd and change UID of duplicate root account to unused UID." ;; 100 | 3 ) exit ;; 101 | esac 102 | done 103 | 104 | echo "---------------------------" 105 | echo "[STIG ID]: SV-38187r1_rule" 106 | echo "---------------------------" 107 | echo "" 108 | echo "[CHECK] All files and directories must have a valid group owner." 109 | echo "" 110 | echo "Enter 0 to skip this STIG and continue to the next." 111 | echo "Enter 1 to run the CHECK." 112 | echo "Enter 2 to find out how to execute the FIX." 113 | echo "Enter 3 to exit this script." 114 | selection= 115 | until [ "$selection" = "0" ]; do 116 | echo "" 117 | echo -n "Enter your selection: " 118 | echo "" 119 | read selection 120 | case $selection in 121 | 1 ) find / -nogroup -print ; exit_status ;; 122 | 2 ) echo "[FIX] Use the following command to change the group owner to [staff] for each file without a valid group owner" ; echo "find / -nogroup -print0 | xargs -0 chgrp staff" ;; 123 | 3 ) exit ;; 124 | esac 125 | done 126 | 127 | echo "---------------------------" 128 | echo "[STIG ID]: SV-38181r1_rule" 129 | echo "---------------------------" 130 | echo "" 131 | echo "[CHECK] All files and directories must have a valid owner." 132 | echo "" 133 | echo "Enter 0 to skip this STIG and continue to the next." 134 | echo "Enter 1 to run the CHECK." 135 | echo "Enter 2 to find out how to execute the FIX." 136 | echo "Enter 3 to exit this script." 137 | selection= 138 | until [ "$selection" = "0" ]; do 139 | echo "" 140 | echo -n "Enter your selection: " 141 | echo "" 142 | read selection 143 | case $selection in 144 | 1 ) find / -nouser ; exit_status ;; 145 | 2 ) echo "[FIX] Review the results. If any files do not have a valid owner, this is a finding." ; echo "find / -nouser -print0 | xargs -0 chown cjtf-hoa" ;; 146 | 3 ) exit ;; 147 | esac 148 | done 149 | 150 | echo "---------------------------" 151 | echo "[STIG ID]: SV-37882r1_rule" 152 | echo "---------------------------" 153 | echo "" 154 | echo "[CHECK] All network services daemon files must have mode 0755 or less permissive." 155 | echo "" 156 | echo "Enter 0 to skip this STIG and continue to the next." 157 | echo "Enter 1 to run the CHECK." 158 | echo "Enter 2 to find out how to execute the FIX." 159 | echo "Enter 3 to exit this script." 160 | selection= 161 | until [ "$selection" = "0" ]; do 162 | echo "" 163 | echo -n "Enter your selection: " 164 | echo "" 165 | read selection 166 | case $selection in 167 | 1 ) find /usr/sbin -type f -perm +022 ; exit_status ;; 168 | 2 ) echo "[FIX] Use the following command to change the mode of the network services daemon." ; echo "find /usr/sbin -type f -perm +022 -print0 | xargs -0 chmod go-w" ;; 169 | 3 ) exit ;; 170 | esac 171 | done 172 | 173 | echo "---------------------------" 174 | echo "[STIG ID]: SV-37987r1_rule" 175 | echo "---------------------------" 176 | echo "" 177 | echo "[CHECK] All system command files must have mode 0755 or less permissive." 178 | echo "" 179 | echo "Enter 0 to skip this STIG and continue to the next." 180 | echo "Enter 1 to run the CHECK." 181 | echo "Enter 2 to find out how to execute the FIX." 182 | echo "Enter 3 to exit this script." 183 | selection= 184 | until [ "$selection" = "0" ]; do 185 | echo "" 186 | echo -n "Enter your selection: " 187 | echo "" 188 | read selection 189 | case $selection in 190 | 1 ) find /usr/bin -type f -perm +022 ; exit_status ;; 191 | 2 ) echo "[FIX] If any file listed is world or group-writable [either or both of the two lowest order digits contain a "2", "3", or "6"], this is a finding." ; echo "find /usr/bin -type f -perm +022 -print0 | xargs -0 chmod go-w" ;; 192 | 3 ) exit ;; 193 | esac 194 | done 195 | 196 | echo "---------------------------" 197 | echo "[STIG ID]: SV-38072r1_rule" 198 | echo "---------------------------" 199 | echo "" 200 | echo "[CHECK] All system command files must not have extended ACLs." 201 | echo "" 202 | echo "Enter 0 to skip this STIG and continue to the next." 203 | echo "Enter 1 to run the CHECK." 204 | echo "Enter 2 to find out how to execute the FIX." 205 | echo "Enter 3 to exit this script." 206 | selection= 207 | until [ "$selection" = "0" ]; do 208 | echo "" 209 | echo -n "Enter your selection: " 210 | echo "" 211 | read selection 212 | case $selection in 213 | 1 ) ls -la /usr/sbin ; exit_status ;; 214 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL, this is a finding." ; echo "chmod -N /path/to/file" ;; 215 | 3 ) exit ;; 216 | esac 217 | done 218 | 219 | echo "---------------------------" 220 | echo "[STIG ID] SV-37988r1_rule" 221 | echo "---------------------------" 222 | echo "" 223 | echo "[CHECK] All system files, programs, and directories must be owned by a system account." 224 | echo "" 225 | echo "Enter 0 to skip this STIG and continue to the next." 226 | echo "Enter 1 to run the CHECK." 227 | echo "Enter 2 to find out how to execute the FIX." 228 | echo "Enter 3 to exit this script." 229 | selection= 230 | until [ "$selection" = "0" ]; do 231 | echo "" 232 | echo -n "Enter your selection: " 233 | echo "" 234 | read selection 235 | case $selection in 236 | 1 ) ls -lLa /usr/bin ; exit_status ;; 237 | 2 ) echo "[FIX] If any of the system files, programs, or directories are not owned by a system account, this is a finding." ; echo "chown root /usr/bin/filename" ;; 238 | 3 ) exit ;; 239 | esac 240 | done 241 | 242 | echo "---------------------------" 243 | echo "[STIG ID] SV-37989r1_rule" 244 | echo "---------------------------" 245 | echo "" 246 | echo "[CHECK] System files, programs, and directories must be group-owned by a system group." 247 | echo "" 248 | echo "Enter 0 to skip this STIG and continue to the next." 249 | echo "Enter 1 to run the CHECK." 250 | echo "Enter 2 to find out how to execute the FIX." 251 | echo "Enter 3 to exit this script." 252 | selection= 253 | until [ "$selection" = "0" ]; do 254 | echo "" 255 | echo -n "Enter your selection: " 256 | echo "" 257 | read selection 258 | case $selection in 259 | 1 ) ls -lLa /usr/bin ; exit_status ;; 260 | 2 ) echo "[FIX] If any system file, program, or directory is not owned by a system group, this is a finding." ; echo "chgrp wheel /usr/bin/filename" ;; 261 | 3 ) exit ;; 262 | esac 263 | done 264 | 265 | echo "---------------------------" 266 | echo "[STIG ID] SV-37890r1_rule" 267 | echo "---------------------------" 268 | echo "" 269 | echo "[CHECK] System log files must have mode 0640 or less permissive." 270 | echo "" 271 | echo "Enter 0 to skip this STIG and continue to the next." 272 | echo "Enter 1 to run the CHECK." 273 | echo "Enter 2 to find out how to execute the FIX." 274 | echo "Enter 3 to exit this script." 275 | selection= 276 | until [ "$selection" = "0" ]; do 277 | echo "" 278 | echo -n "Enter your selection: " 279 | echo "" 280 | read selection 281 | case $selection in 282 | 1 ) ls -lL /var/log ; exit_status ;; 283 | 2 ) echo "[FIX] If any of the log files have modes more permissive than 0640, this is a finding." ; echo "chmod -R 0640 /var/log*" ;; 284 | 3 ) exit ;; 285 | esac 286 | done 287 | 288 | echo "---------------------------" 289 | echo "[STIG ID] SV-37911r1_rule" 290 | echo "---------------------------" 291 | echo "" 292 | echo "[CHECK] Library files must have mode 0755 or less permissive." 293 | echo "" 294 | echo "Enter 0 to skip this STIG and continue to the next." 295 | echo "Enter 1 to run the CHECK." 296 | echo "Enter 2 to find out how to execute the FIX." 297 | echo "Enter 3 to exit this script." 298 | selection= 299 | until [ "$selection" = "0" ]; do 300 | echo "" 301 | echo -n "Enter your selection: " 302 | echo "" 303 | read selection 304 | case $selection in 305 | 1 ) ls -lLR /usr/lib ; exit_status ;; 306 | 2 ) echo "[FIX] If any of the library files have a mode more permissive than 0755, this is a finding." ; echo "chmod -R 0755 /usr/lib" ;; 307 | 3 ) exit ;; 308 | esac 309 | done 310 | 311 | echo "---------------------------" 312 | echo "[STIG ID] SV-38094r1_rule" 313 | echo "---------------------------" 314 | echo "" 315 | echo "[CHECK] User home directories must not have extended ACLs." 316 | echo "" 317 | echo "Enter 0 to skip this STIG and continue to the next." 318 | echo "Enter 1 to run the CHECK." 319 | echo "Enter 2 to find out how to execute the FIX." 320 | echo "Enter 3 to exit this script." 321 | selection= 322 | until [ "$selection" = "0" ]; do 323 | echo "" 324 | echo -n "Enter your selection: " 325 | echo "" 326 | read selection 327 | case $selection in 328 | 1 ) ls -al /Users ; exit_status ;; 329 | 2 ) echo "[FIX] If the permissions include a '+' the file/directory has an extended ACL, this is a finding. The following command will remove any and all ACLs from files and folders in the Users directory" ; echo "chmod -R -N /Users" ;; 330 | 3 ) exit ;; 331 | esac 332 | done 333 | 334 | echo "---------------------------" 335 | echo "[STIG ID] SV-38182r1_rule" 336 | echo "---------------------------" 337 | echo "" 338 | echo "[CHECK] All files and directories contained in interactive user home directories must be owned by the home directory's owner. For each user in the /etc/passwd file, check for the presence of files and directories within the user's home directory not owned by the home directory owner." 339 | echo "" 340 | echo "Enter 0 to skip this STIG and continue to the next." 341 | echo "Enter 1 to find out how to run the CHECK." 342 | echo "Enter 2 to find out how to execute the FIX." 343 | echo "Enter 3 to exit this script." 344 | selection= 345 | until [ "$selection" = "0" ]; do 346 | echo "" 347 | echo -n "Enter your selection: " 348 | echo "" 349 | read selection 350 | case $selection in 351 | 1 ) echo "No way devised to check for this yet. Can fix, though." ;; 352 | 2 ) echo "[FIX] Change the ownership of files and directories in user home directories to the owner of the home directory." ; echo "chown -R username /Users/username" ;; 353 | 3 ) exit ;; 354 | esac 355 | done 356 | 357 | echo "---------------------------" 358 | echo "[STIG ID] SV-38215r1_rule" 359 | echo "---------------------------" 360 | echo "" 361 | echo "[CHECK] All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is not a member." 362 | echo "" 363 | echo "Enter 0 to skip this STIG and continue to the next." 364 | echo "Enter 1 to run the CHECK." 365 | echo "Enter 2 to find out how to execute the FIX." 366 | echo "Enter 3 to exit this script." 367 | selection= 368 | until [ "$selection" = "0" ]; do 369 | echo "" 370 | echo -n "Enter your selection: " 371 | echo "" 372 | read selection 373 | case $selection in 374 | 1 ) echo "Listing user accounts:" ; cut -d : -f 1/etc/passwd ; exit_status ;; 375 | 2 ) echo "For each user account, get a list of GIDs for files in the user's home directory" ; "find ~username -printf %G\\n | sort | unique" ; exit_status ; echo "Obtain the list of GIDs where the user is a member" ; echo "id -G username" ; echo "[FIX] Check the GID lists. If there are GIDs in the file list not present in the user list, this is a finding." ; echo "chgrp [group with user as member] [file with bad group ownership]" ;; 376 | 3 ) exit ;; 377 | esac 378 | done 379 | 380 | echo "---------------------------" 381 | echo "[STIG ID] SV-38095r1_rule" 382 | echo "---------------------------" 383 | echo "" 384 | echo "[CHECK] All files and directories contained in user home directories must not have extended ACLs." 385 | echo "" 386 | echo "Enter 0 to skip this STIG and continue to the next." 387 | echo "Enter 1 to run the CHECK." 388 | echo "Enter 2 to find out how to execute the FIX." 389 | echo "Enter 3 to exit this script." 390 | selection= 391 | until [ "$selection" = "0" ]; do 392 | echo "" 393 | echo -n "Enter your selection: " 394 | echo "" 395 | read selection 396 | case $selection in 397 | 1 ) cut -d : -f 6 /etc/passwd | xargs -n1 -IDIR ls -alLR DIR ; exit_status ;; 398 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; echo "chmod -N [user file with extended ACL]" ;; 399 | 3 ) exit ;; 400 | esac 401 | done 402 | 403 | echo "---------------------------" 404 | echo "[STIG ID] SV-38013r1_rule" 405 | echo "---------------------------" 406 | echo "" 407 | echo "[CHECK] All run control scripts must have mode 0755 or less permissive." 408 | echo "" 409 | echo "Enter 0 to skip this STIG and continue to the next." 410 | echo "Enter 1 to run the CHECK." 411 | echo "Enter 2 to find out how to execute the FIX." 412 | echo "Enter 3 to exit this script." 413 | selection= 414 | until [ "$selection" = "0" ]; do 415 | echo "" 416 | echo -n "Enter your selection: " 417 | echo "" 418 | read selection 419 | case $selection in 420 | 1 ) ls -lL /etc/rc* ; exit_status ;; 421 | 2 ) echo "[FIX] Set the mode of the run control script file." ; echo "chmod 755 /path/to/control_script" ;; 422 | 3 ) exit ;; 423 | esac 424 | done 425 | 426 | echo "---------------------------" 427 | echo "[STIG ID] SV-38096r1_rule" 428 | echo "---------------------------" 429 | echo "" 430 | echo "[CHECK] All run control scripts must not have extended ACLs." 431 | echo "" 432 | echo "Enter 0 to skip this STIG and continue to the next." 433 | echo "Enter 1 to run the CHECK." 434 | echo "Enter 2 to find out how to execute the FIX." 435 | echo "Enter 3 to exit this script." 436 | selection= 437 | until [ "$selection" = "0" ]; do 438 | echo "" 439 | echo -n "Enter your selection: " 440 | echo "" 441 | read selection 442 | case $selection in 443 | 1 ) ls -lL /etc/rc* /etc/init.d ; exit_status ;; 444 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; echo "chmod -N /path/to/control_script" ;; 445 | 3 ) exit ;; 446 | esac 447 | done 448 | 449 | echo "---------------------------" 450 | echo "[STIG ID] SV-38256r1_rule" 451 | echo "---------------------------" 452 | echo "" 453 | echo "[CHECK] Run control scripts' executable search paths must contain only absolute paths." 454 | echo "" 455 | echo "Enter 0 to skip this STIG and continue to the next." 456 | echo "Enter 1 to run the CHECK." 457 | echo "Enter 2 to find out how to execute the FIX." 458 | echo "Enter 3 to exit this script." 459 | selection= 460 | until [ "$selection" = "0" ]; do 461 | echo "" 462 | echo -n "Enter your selection: " 463 | echo "" 464 | read selection 465 | case $selection in 466 | 1 ) grep -r PATH /etc/rc* /etc/init.d ; exit_status ;; 467 | 2 ) echo "[FIX] Edit the run control script and remove the relative path entry from the executable search path variable." ;; 468 | 3 ) exit ;; 469 | esac 470 | done 471 | 472 | echo "---------------------------" 473 | echo "[STIG ID] SV-38010r1_rule" 474 | echo "---------------------------" 475 | echo "" 476 | echo "[CHECK] All local initialization files must be owned by the user or root." 477 | echo "" 478 | echo "Enter 0 to skip this STIG and continue to the next." 479 | echo "Enter 1 to find out how to run the CHECK." 480 | echo "Enter 2 to find out how to execute the FIX." 481 | echo "Enter 3 to exit this script." 482 | selection= 483 | until [ "$selection" = "0" ]; do 484 | echo "" 485 | echo -n "Enter your selection: " 486 | echo "" 487 | read selection 488 | case $selection in 489 | 1 ) echo "ls -al /$usershomedirectory/.login" ; echo "ls -al /$usershomedirectory/.cschrc" ; echo "ls -al /$usershomedirectory/.logout" ; echo "ls -al /$usershomedirectory/.profile" ; echo "ls -al /$usershomedirectory/.bash_profile" ;" ; echo "ls -al /$usershomedirectory/.bashrc" ; echo "ls -al /$usershomedirectory/.bash_logout" ; echo "ls -al /$usershomedirectory/.env" ; echo "ls -al /$usershomedirectory/.dtprofile" ;" ; echo "ls -al /$usershomedirectory/.dispatch" ; echo "ls -al /$usershomedirectory/.emacs" ; echo "ls -al /$usershomedirectory/.exrc" ; echo "find /$usershomedirectory/.dt ! -fstype nfs ! -user $username -exec ls -ld {} \;" ; exit_status ;; 490 | 2 ) echo "[FIX] If local initialization files are not owned by the home directory's user, this is a finding. Examine each user’s home directory and verify all filenames begin with '.' are owned by the owner of the directory or root. If they are not, use the chown command to change the owner to the user and research the reasons why the owners were not assigned as required." ; echo "chown $username /directory/filename" ;; 491 | 3 ) exit ;; 492 | esac 493 | done 494 | 495 | echo "---------------------------" 496 | echo "[STIG ID] SV-38014r1_rule" 497 | echo "---------------------------" 498 | echo "" 499 | echo "[CHECK] All shell files must be owned by root or bin." 500 | echo "" 501 | echo "Enter 0 to skip this STIG and continue to the next." 502 | echo "Enter 1 to run the CHECK." 503 | echo "Enter 2 to find out how to execute the FIX." 504 | echo "Enter 3 to exit this script." 505 | selection= 506 | until [ "$selection" = "0" ]; do 507 | echo "" 508 | echo -n "Enter your selection: " 509 | echo "" 510 | read selection 511 | case $selection in 512 | 1 ) cat /etc/shells | xargs -n1 ls -l ; exit_status ;; 513 | 2 ) echo "[FIX] If any shell is not owned by root or bin, this is a finding." ; echo "chown root [shell]" ;; 514 | 3 ) exit ;; 515 | esac 516 | done 517 | 518 | echo "---------------------------" 519 | echo "[STIG ID] SV-38015r1_rule" 520 | echo "---------------------------" 521 | echo "" 522 | echo "[CHECK] All shell files must have mode 0755 or less permissive." 523 | echo "" 524 | echo "Enter 0 to skip this STIG and continue to the next." 525 | echo "Enter 1 to run the CHECK." 526 | echo "Enter 2 to find out how to execute the FIX." 527 | echo "Enter 3 to exit this script." 528 | selection= 529 | until [ "$selection" = "0" ]; do 530 | echo "" 531 | echo -n "Enter your selection: " 532 | echo "" 533 | read selection 534 | case $selection in 535 | 1 ) cat /etc/shells | xargs -n1 ls -l ; exit_status ; echo "If /etc/shells exists, check the group ownership of each shell referenced. Otherwise, check any shells found on the system." ; find / -name ""*sh"" | xargs -n1 ls -l ; exit_status ;; 536 | 2 ) echo "[FIX] If a shell has a mode more permissive than 0755, this is a finding." ; echo "chmod 0755 [shell]" ;; 537 | 3 ) exit ;; 538 | esac 539 | done 540 | 541 | echo "---------------------------" 542 | echo "[STIG ID] SV-38098r1_rule" 543 | echo "---------------------------" 544 | echo "" 545 | echo "[CHECK] All shell files must not have extended ACLs." 546 | echo "" 547 | echo "Enter 0 to skip this STIG and continue to the next." 548 | echo "Enter 1 to run the CHECK." 549 | echo "Enter 2 to find out how to execute the FIX." 550 | echo "Enter 3 to exit this script." 551 | selection= 552 | until [ "$selection" = "0" ]; do 553 | echo "" 554 | echo -n "Enter your selection: " 555 | echo "" 556 | read selection 557 | case $selection in 558 | 1 ) cat /etc/shells | xargs -n1 ls -lL ; exit_status ; echo "If /etc/shells exists, check the permissions of each shell referenced. Otherwise, check any shells found on the system." ; find / -name ""*sh"" | xargs -n1 ls -lL ; exit_status ;; 559 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; "chmod -N [shell file with extended ACL]" ;; 560 | 3 ) exit ;; 561 | esac 562 | done 563 | 564 | echo "---------------------------" 565 | echo "[STIG ID] SV-38017r1_rule" 566 | echo "---------------------------" 567 | echo "" 568 | echo "[CHECK] Device files and directories must only be writable by users with a system account or as configured by the vendor." 569 | echo "" 570 | echo "Enter 0 to skip this STIG and continue to the next." 571 | echo "Enter 1 to run the CHECK." 572 | echo "Enter 2 to find out how to execute the FIX." 573 | echo "Enter 3 to exit this script." 574 | selection= 575 | until [ "$selection" = "0" ]; do 576 | echo "" 577 | echo -n "Enter your selection: " 578 | echo "" 579 | read selection 580 | case $selection in 581 | 1 ) find / -perm -2 -a \( -type b -o -type c \) ] devicelist ; exit_status ; echo "[FIX] Check the permissions on the directories above subdirectories in the devicelist file. If any of the device files or their parent directories are world-writable, except device files specifically intended to be world-writable such as /dev/null, this is a finding." ; exit_status ;; 582 | 2 ) echo "chmod o-w [device file]" ;; 583 | 3 ) exit ;; 584 | esac 585 | done 586 | 587 | echo "---------------------------" 588 | echo "[STIG ID] SV-38100r1_rule" 589 | echo "---------------------------" 590 | echo "" 591 | echo "[CHECK] Audio devices must not have extended ACLs." 592 | echo "" 593 | echo "Enter 0 to skip this STIG and continue to the next." 594 | echo "Enter 1 to run the CHECK." 595 | echo "Enter 2 to find out how to execute the FIX." 596 | echo "Enter 3 to exit this script." 597 | selection= 598 | until [ "$selection" = "0" ]; do 599 | echo "" 600 | echo -n "Enter your selection: " 601 | echo "" 602 | read selection 603 | case $selection in 604 | 1 ) ls -lL /dev/audio* /dev/snd/* ; exit_status ;; 605 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; echo "chmod -N [audit file with extended ACL]" ;; 606 | 3 ) exit ;; 607 | esac 608 | done 609 | 610 | echo "---------------------------" 611 | echo "[STIG ID] SV-37991r1_rule" 612 | echo "---------------------------" 613 | echo "" 614 | echo "[CHECK] The sticky bit must be set on all public directories." 615 | echo "" 616 | echo "Enter 0 to skip this STIG and continue to the next." 617 | echo "Enter 1 to run the CHECK." 618 | echo "Enter 2 to find out how to execute the FIX." 619 | echo "Enter 3 to exit this script." 620 | selection= 621 | until [ "$selection" = "0" ]; do 622 | echo "" 623 | echo -n "Enter your selection: " 624 | echo "" 625 | read selection 626 | case $selection in 627 | 1 ) find / -type d -perm -002 -exec ls -ld {} \; ; exit_status ;; 628 | 2 ) echo "[FIX] Review the results. If any public directories do not have the sticky bit set, this is a finding." ; echo "chmod 1777 /tmp" ; exit_status ; echo "chmod 1777 /publicdirmissingstickybit" ;; 629 | 3 ) exit ;; 630 | esac 631 | done 632 | 633 | echo "---------------------------" 634 | echo "[STIG ID] SV-37993r1_rule" 635 | echo "---------------------------" 636 | echo "" 637 | echo "[CHECK] All public directories must be owned by root or an application account." 638 | echo "" 639 | echo "Enter 0 to skip this STIG and continue to the next." 640 | echo "Enter 1 to run the CHECK." 641 | echo "Enter 2 to find out how to execute the FIX." 642 | echo "Enter 3 to exit this script." 643 | selection= 644 | until [ "$selection" = "0" ]; do 645 | echo "" 646 | echo -n "Enter your selection: " 647 | echo "" 648 | read selection 649 | case $selection in 650 | 1 ) find / -type d -perm -1002 -exec ls -ld {} \; ; exit_status ;; 651 | 2 ) echo "[FIX] If any public directory is not owned by root or an application user, this is a finding." ; echo "chown root /tmp" ; exit_status ; echo "chown root /publicdir" ;; 652 | 3 ) exit ;; 653 | esac 654 | done 655 | 656 | echo "---------------------------" 657 | echo "[STIG ID] SV-38622r1_rule" 658 | echo "---------------------------" 659 | echo "" 660 | echo "[CHECK] System audit logs must have mode 0640 or less permissive." 661 | echo "" 662 | echo "Enter 0 to skip this STIG and continue to the next." 663 | echo "Enter 1 to run the CHECK." 664 | echo "Enter 2 to find out how to execute the FIX." 665 | echo "Enter 3 to exit this script." 666 | selection= 667 | until [ "$selection" = "0" ]; do 668 | echo "" 669 | echo -n "Enter your selection: " 670 | echo "" 671 | read selection 672 | case $selection in 673 | 1 ) ls -l /etc/auditd ; exit_status ;; 674 | 2 ) echo "[FIX] If any audit log file has a mode more permissive than 0640, this is a finding." ; echo "chmod 0640 [audit log file]" ;; 675 | 3 ) exit ;; 676 | esac 677 | done 678 | 679 | echo "---------------------------" 680 | echo "[STIG ID] SV-38102r1_rule" 681 | echo "---------------------------" 682 | echo "" 683 | echo "[CHECK] All system audit files must not have extended ACLs." 684 | echo "" 685 | echo "Enter 0 to skip this STIG and continue to the next." 686 | echo "Enter 1 to run the CHECK." 687 | echo "Enter 2 to find out how to execute the FIX." 688 | echo "Enter 3 to exit this script." 689 | selection= 690 | until [ "$selection" = "0" ]; do 691 | echo "" 692 | echo -n "Enter your selection: " 693 | echo "" 694 | read selection 695 | case $selection in 696 | 1 ) grep ""^log_file"" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs ls ; exit_status ;; 697 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; echo "chmod -N [audit file with extended ACL]" ;; 698 | 3 ) exit ;; 699 | esac 700 | done 701 | 702 | echo "---------------------------" 703 | echo "[STIG ID] SV-38103r1_rule" 704 | echo "---------------------------" 705 | echo "" 706 | echo "[CHECK] System audit tool executables must not have extended ACLs." 707 | echo "" 708 | echo "Enter 0 to skip this STIG and continue to the next." 709 | echo "Enter 1 to run the CHECK." 710 | echo "Enter 2 to find out how to execute the FIX." 711 | echo "Enter 3 to exit this script." 712 | selection= 713 | until [ "$selection" = "0" ]; do 714 | echo "" 715 | echo -n "Enter your selection: " 716 | echo "" 717 | read selection 718 | case $selection in 719 | 1 ) ls -l /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd ; exit_status ;; 720 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL, this is a finding." ; echo "chmod -N [audit tool file with extended ACL]" ;; 721 | 3 ) exit ;; 722 | esac 723 | done 724 | 725 | echo "---------------------------" 726 | echo "[STIG ID] SV-38107r1_rule" 727 | echo "---------------------------" 728 | echo "" 729 | echo "[CHECK] Crontab files must be group-owned by root, cron, or the crontab creator's primary group." 730 | echo "" 731 | echo "Enter 0 to skip this STIG and continue to the next." 732 | echo "Enter 1 to run the CHECK." 733 | echo "Enter 2 to find out how to execute the FIX." 734 | echo "Enter 3 to exit this script." 735 | selection= 736 | until [ "$selection" = "0" ]; do 737 | echo "" 738 | echo -n "Enter your selection: " 739 | echo "" 740 | read selection 741 | case $selection in 742 | 1 ) ls -lL /usr/lib/cron ; exit_status ; ls -lL /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly ; exit_status ; ls -lL /etc/cron*|grep -v deny ; exit_status ;; 743 | 2 ) echo "[FIX] If the group-owner is not root or the crontab owner's primary group, this is a finding." ; echo "chgrp wheel [crontab file]" ;; 744 | 3 ) exit ;; 745 | esac 746 | done 747 | 748 | echo "---------------------------" 749 | echo "[STIG ID] SV-38110r1_rule" 750 | echo "---------------------------" 751 | echo "" 752 | echo "[CHECK] Crontab files must not have extended ACLs." 753 | echo "" 754 | echo "Enter 0 to skip this STIG and continue to the next." 755 | echo "Enter 1 to run the CHECK." 756 | echo "Enter 2 to find out how to execute the FIX." 757 | echo "Enter 3 to exit this script." 758 | selection= 759 | until [ "$selection" = "0" ]; do 760 | echo "" 761 | echo -n "Enter your selection: " 762 | echo "" 763 | read selection 764 | case $selection in 765 | 1 ) ls -lL /usr/lib/cron ; exit_status ; ls -lL /etc/cron*|grep -v deny ; exit_status ;; 766 | 2 ) echo "[FIX] If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; echo "chmod -N [crontab file]" ;; 767 | 3 ) exit ;; 768 | esac 769 | done 770 | 771 | echo "---------------------------" 772 | echo "[STIG ID] SV-38112r1_rule" 773 | echo "---------------------------" 774 | echo "" 775 | echo "[CHECK] Cron and crontab directories must not have extended ACLs." 776 | echo "" 777 | echo "Enter 0 to skip this STIG and continue to the next." 778 | echo "Enter 1 to run the CHECK." 779 | echo "Enter 2 to find out how to execute the FIX." 780 | echo "Enter 3 to exit this script." 781 | selection= 782 | until [ "$selection" = "0" ]; do 783 | echo "" 784 | echo -n "Enter your selection: " 785 | echo "" 786 | read selection 787 | case $selection in 788 | 1 ) ls -ld /usr/lib/cron ; exit_status ; ls -ld /etc/cron*|grep -v deny ; exit_status ;; 789 | 2 ) echo "[FIX] If the permissions include a '+', the directory has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding." ; "chmod -N [crontab directory]" ;; 790 | 3 ) exit ;; 791 | esac 792 | done 793 | 794 | echo "---------------------------" 795 | echo "[STIG ID] SV-38022r1_rule" 796 | echo "---------------------------" 797 | echo "" 798 | echo "[CHECK] "At" jobs must not set the umask to a value less restrictive than 077." 799 | echo "" 800 | echo "Enter 0 to skip this STIG and continue to the next." 801 | echo "Enter 1 to run the CHECK/get additional information." 802 | echo "Enter 2 to find out how to execute the FIX." 803 | echo "Enter 3 to exit this script." 804 | selection= 805 | until [ "$selection" = "0" ]; do 806 | echo "" 807 | echo -n "Enter your selection: " 808 | echo "" 809 | read selection 810 | case $selection in 811 | 1 ) ls /var/spool/at ; exit_status ; echo "If no "at" jobs are present, this is not applicable. To determine if any of the "at" jobs or any scripts referenced execute the "umask" command check for any umask setting more permissive than 077:" ; echo "rep umask /var/at/[at job or referenced script]" ; exit_status ;; 812 | 2 ) echo "[FIX] If any "at" job or referenced script sets umask to a value more permissive than 077, this is a finding." ; echo "Edit "at" jobs or referenced scripts to remove "umask" commands setting umask to a value less restrictive than 077." ;; 813 | 3 ) exit ;; 814 | esac 815 | done 816 | 817 | echo "---------------------------" 818 | echo "[STIG ID] SV-38195r1_rule" 819 | echo "---------------------------" 820 | echo "" 821 | echo "[CHECK] The system must be configured to store any process core dumps in a specific, centralized directory." 822 | echo "" 823 | echo "Enter 0 to skip this STIG and continue to the next." 824 | echo "Enter 1 to run the CHECK." 825 | echo "Enter 2 to find out how to execute the FIX." 826 | echo "Enter 3 to exit this script." 827 | selection= 828 | until [ "$selection" = "0" ]; do 829 | echo "" 830 | echo -n "Enter your selection: " 831 | echo "" 832 | read selection 833 | case $selection in 834 | 1 ) cat /proc/sys/kernel/core_pattern ; exit_status ; echo "[FIX] If the parameter is not an absolute path [does not start with a slash "/"], this is a finding." ;; 835 | 2 ) echo "Edit the /etc/sysctl.conf file; and set the [add if necessary] kernel/core_pattern to an absolute path ending with a file name prefix, such as "/var/core/core"." ;; 836 | 3 ) exit ;; 837 | esac 838 | done 839 | 840 | echo "---------------------------" 841 | echo "[STIG ID] SV-38120r1_rule" 842 | echo "---------------------------" 843 | echo "" 844 | echo "[CHECK] The centralized process core dump data directory must be owned by root." 845 | echo "" 846 | echo "Enter 0 to skip this STIG and continue to the next." 847 | echo "Enter 1 to run the CHECK." 848 | echo "Enter 2 to find out how to execute the FIX." 849 | echo "Enter 3 to exit this script." 850 | selection= 851 | until [ "$selection" = "0" ]; do 852 | echo "" 853 | echo -n "Enter your selection: " 854 | echo "" 855 | read selection 856 | case $selection in 857 | 1 ) cat /proc/sys/kernel/core_pattern|xargs -n1 -IPATTERN dirname PATTERN ; exit_status ; echo "Check the existence and ownership of the directory." ; ls -lLd [core file directory] ; exit_status ;; 858 | 2 ) echo "[FIX] If the directory does not exist or is not owned by root, this is a finding. If the core file directory does not exist it must be created." ; echo "mkdir -p [core file directory]" ; echo "If necessary, change the owner of the core file directory." ; echo "chown root [core file directory]" ;; 859 | 3 ) exit ;; 860 | esac 861 | done 862 | 863 | echo "---------------------------" 864 | echo "[STIG ID] SV-38121r1_rule" 865 | echo "---------------------------" 866 | echo "" 867 | echo "[CHECK] The centralized process core dump data directory must be group-owned by root, bin, sys, or system." 868 | echo "" 869 | echo "Enter 0 to skip this STIG and continue to the next." 870 | echo "Enter 1 to run the CHECK." 871 | echo "Enter 2 to find out how to execute the FIX." 872 | echo "Enter 3 to exit this script." 873 | selection= 874 | until [ "$selection" = "0" ]; do 875 | echo "" 876 | echo -n "Enter your selection: " 877 | echo "" 878 | read selection 879 | case $selection in 880 | 1 ) echo "ls -lL [core file directory]" ; exit_status ;; 881 | 2 ) echo "[FIX] If the directory is not group-owned by root, bin, sys, or system this is a finding." ; echo "chgrp wheel [core file directory]" ;; 882 | 3 ) exit ;; 883 | esac 884 | done 885 | 886 | echo "---------------------------" 887 | echo "[STIG ID] SV-38197r1_rule" 888 | echo "---------------------------" 889 | echo "" 890 | echo "[CHECK] The centralized process core dump data directory must have mode 0700 or less permissive." 891 | echo "" 892 | echo "Enter 0 to skip this STIG and continue to the next." 893 | echo "Enter 1 to run the CHECK." 894 | echo "Enter 2 to find out how to execute the FIX." 895 | echo "Enter 3 to exit this script." 896 | selection= 897 | until [ "$selection" = "0" ]; do 898 | echo "" 899 | echo -n "Enter your selection: " 900 | echo "" 901 | read selection 902 | case $selection in 903 | 1 ) cat /proc/sys/kernel/core_pattern|xargs -n1 -IPATTERN dirname PATTERN ; exit_status ; echo "Check the permissions of the directory." ; echo "ls -lL [core file directory]" ;; 904 | 2 ) echo "[FIX] If the directory has a mode more permissive than 0700, this is a finding." ; echo "chmod 0700 [core file directory]" ;; 905 | 3 ) exit ;; 906 | esac 907 | done 908 | 909 | echo "---------------------------" 910 | echo "[STIG ID] SV-38200r1_rule" 911 | echo "---------------------------" 912 | echo "" 913 | echo "[CHECK] The system must not process Internet Control Message Protocol [ICMP] timestamp requests." 914 | echo "" 915 | echo "Enter 0 to skip this STIG and continue to the next." 916 | echo "Enter 1 to run the CHECK." 917 | echo "Enter 2 to find out how to execute the FIX." 918 | echo "Enter 3 to exit this script." 919 | selection= 920 | until [ "$selection" = "0" ]; do 921 | echo "" 922 | echo -n "Enter your selection: " 923 | echo "" 924 | read selection 925 | case $selection in 926 | 1 ) sysctl -a | grep net.inet.icmp.timestamp ; exit_status ;; 927 | 2 ) echo "[FIX] If the value of net.inet.icmp.timestamp is not set to "1", this is a finding." ; echo "Edit the sysctl file and set the value of net.inet.icmp.timestamp to "1"." ;; 928 | 3 ) exit ;; 929 | esac 930 | done 931 | 932 | echo "---------------------------" 933 | echo "[STIG ID] SV-38201r1_rule" 934 | echo "---------------------------" 935 | echo "" 936 | echo "[CHECK] The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address." 937 | echo "" 938 | echo "Enter 0 to skip this STIG and continue to the next." 939 | echo "Enter 1 to run the CHECK." 940 | echo "Enter 2 to find out how to execute the FIX." 941 | echo "Enter 3 to exit this script." 942 | selection= 943 | until [ "$selection" = "0" ]; do 944 | echo "" 945 | echo -n "Enter your selection: " 946 | echo "" 947 | read selection 948 | case $selection in 949 | 1 ) sysctl -a | grep net.inet.icmp.bmcastecho ; exit_status ;; 950 | 2 ) echo "[FIX] If the value is not set to "1", this is a finding." ; echo "Edit the sysctl file and set the value of "net.inet.icmp.bmcastecho" to "1"." ;; 951 | 3 ) exit ;; 952 | esac 953 | done 954 | 955 | echo "---------------------------" 956 | echo "[STIG ID] SV-38202r1_rule" 957 | echo "---------------------------" 958 | echo "" 959 | echo "[CHECK] The system must prevent local applications from generating source-routed packets." 960 | echo "" 961 | echo "Enter 0 to skip this STIG and continue to the next." 962 | echo "Enter 1 to run the CHECK." 963 | echo "Enter 2 to find out how to execute the FIX." 964 | echo "Enter 3 to exit this script." 965 | selection= 966 | until [ "$selection" = "0" ]; do 967 | echo "" 968 | echo -n "Enter your selection: " 969 | echo "" 970 | read selection 971 | case $selection in 972 | 1 ) sysctl -a | grep net.inet.ip.sourceroute ; exit_status ;; 973 | 2 ) echo "[FIX] If the value of "net.inet.ip.sourceroute" is not set to "1", this is a finding." ; echo "Edit the sysctl file and set the value of net.inet.ip.sourceroute to 1." ;; 974 | 3 ) exit ;; 975 | esac 976 | done 977 | 978 | echo "---------------------------" 979 | echo "[STIG ID] SV-38203r1_rule" 980 | echo "---------------------------" 981 | echo "" 982 | echo "[CHECK] The system must not accept source-routed IPv4 packets." 983 | echo "" 984 | echo "Enter 0 to skip this STIG and continue to the next." 985 | echo "Enter 1 to run the CHECK." 986 | echo "Enter 2 to find out how to execute the FIX." 987 | echo "Enter 3 to exit this script." 988 | selection= 989 | until [ "$selection" = "0" ]; do 990 | echo "" 991 | echo -n "Enter your selection: " 992 | echo "" 993 | read selection 994 | case $selection in 995 | 1 ) sysctl -a | grep net.inet.ip.accept_sourceroute ; exit_status ;; 996 | 2 ) echo "[FIX] If the value of "net.inet.ip.accept_sourceroute" is not set to "0", this is a finding." ; echo "Edit the sysctl file and set the value of net.inet.ip.accept_sourceroute to 0." ;; 997 | 3 ) exit ;; 998 | esac 999 | done 1000 | 1001 | echo "---------------------------" 1002 | echo "[STIG ID] SV-38204r1_rule" 1003 | echo "---------------------------" 1004 | echo "" 1005 | echo "[CHECK] The system must ignore IPv4 ICMP redirect messages." 1006 | echo "" 1007 | echo "Enter 0 to skip this STIG and continue to the next." 1008 | echo "Enter 1 to run the CHECK." 1009 | echo "Enter 2 to find out how to execute the FIX." 1010 | echo "Enter 3 to exit this script." 1011 | selection= 1012 | until [ "$selection" = "0" ]; do 1013 | echo "" 1014 | echo -n "Enter your selection: " 1015 | echo "" 1016 | read selection 1017 | case $selection in 1018 | 1 ) sysctl -a | grep net.inet.ip.drop_redirect ; exit_status ;; 1019 | 2 ) echo "[FIX] If the value of "net.inet.ip.drop_redirect" is not set to "0", this is a finding." ; echo "Edit the sysctl file and set the value of "net.inet.ip.drop_redirect" to "0"." ;; 1020 | 3 ) exit ;; 1021 | esac 1022 | done 1023 | 1024 | echo "---------------------------" 1025 | echo "[STIG ID] SV-38205r1_rule" 1026 | echo "---------------------------" 1027 | echo "" 1028 | echo "[CHECK] The system must not send IPv4 ICMP redirects." 1029 | echo "" 1030 | echo "Enter 0 to skip this STIG and continue to the next." 1031 | echo "Enter 1 to run the CHECK." 1032 | echo "Enter 2 to find out how to execute the FIX." 1033 | echo "Enter 3 to exit this script." 1034 | selection= 1035 | until [ "$selection" = "0" ]; do 1036 | echo "" 1037 | echo -n "Enter your selection: " 1038 | echo "" 1039 | read selection 1040 | case $selection in 1041 | 1 ) sysctl -a | grep net.inet.ip.redirect ; exit_status ;; 1042 | 2 ) echo "[FIX] If the value of "net.inet.ip.redirect" is not set to "0", this is a finding." ; echo "Edit the sysctl file and set the value of net.inet.ip.redirect to 0." ;; 1043 | 3 ) exit ;; 1044 | esac 1045 | done 1046 | 1047 | echo "---------------------------" 1048 | echo "[STIG ID] SV-38057r1_rule" 1049 | echo "---------------------------" 1050 | echo "" 1051 | echo "[CHECK] The system must not have the finger service active." 1052 | echo "" 1053 | echo "Enter 0 to skip this STIG and continue to the next." 1054 | echo "Enter 1 to run the CHECK." 1055 | echo "Enter 2 to find out how to execute the FIX." 1056 | echo "Enter 3 to exit this script." 1057 | selection= 1058 | until [ "$selection" = "0" ]; do 1059 | echo "" 1060 | echo -n "Enter your selection: " 1061 | echo "" 1062 | read selection 1063 | case $selection in 1064 | 1 ) grep disable /etc/xinetd.d/finger ; exit_status ;; 1065 | 2 ) echo "[FIX] If the finger service is not disabled [Disabled = yes], this is a finding." ; echo "/etc/xinetd.d/finger and set "disable=yes"" ;; 1066 | 3 ) exit ;; 1067 | esac 1068 | done 1069 | 1070 | echo "---------------------------" 1071 | echo "[STIG ID] SV-39360r1_rule" 1072 | echo "---------------------------" 1073 | echo "" 1074 | echo "[CHECK] The SSH daemon must be configured to only use FIPS 140-2 approved ciphers." 1075 | echo "" 1076 | echo "Enter 0 to skip this STIG and continue to the next." 1077 | echo "Enter 1 to run the CHECK." 1078 | echo "Enter 2 to find out how to execute the FIX." 1079 | echo "Enter 3 to exit this script." 1080 | selection= 1081 | until [ "$selection" = "0" ]; do 1082 | echo "" 1083 | echo -n "Enter your selection: " 1084 | echo "" 1085 | read selection 1086 | case $selection in 1087 | 1 ) grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' ; exit_status ;; 1088 | 2 ) echo "[FIX] If no lines are returned, or the returned ciphers list contains any cipher not starting with "3des" or "aes", this is a finding." ; echo "Edit the SSH daemon configuration file /etc/ssh/sshd_config to remove any ciphers not starting with "3des" or "aes"." ;; 1089 | 3 ) exit ;; 1090 | esac 1091 | done 1092 | 1093 | echo "---------------------------" 1094 | echo "[STIG ID] SV-39364r1_rule" 1095 | echo "---------------------------" 1096 | echo "" 1097 | echo "[CHECK] The SSH daemon must be configured to not use CBC ciphers." 1098 | echo "" 1099 | echo "Enter 0 to skip this STIG and continue to the next." 1100 | echo "Enter 1 to run the CHECK." 1101 | echo "Enter 2 to find out how to execute the FIX." 1102 | echo "Enter 3 to exit this script." 1103 | selection= 1104 | until [ "$selection" = "0" ]; do 1105 | echo "" 1106 | echo -n "Enter your selection: " 1107 | echo "" 1108 | read selection 1109 | case $selection in 1110 | 1 ) cat $sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | \ egrep -I "ciphers" | grep -I cbc ; exit_status ;; 1111 | 2 ) echo "[FIX] If no lines are returned, or the returned ciphers list contains any cipher ending with cbc, this is a finding." ; echo "Edit the SSH daemon configuration file "ssh_config" and remove any ciphers ending with cbc. If necessary, add a Ciphers line." ;; 1112 | 3 ) exit ;; 1113 | esac 1114 | done 1115 | 1116 | echo "---------------------------" 1117 | echo "[STIG ID] SV-39369r1_rule" 1118 | echo "---------------------------" 1119 | echo "" 1120 | echo "[CHECK] The SSH daemon must be configured to only use Message Authentication Codes [MACs] that employ FIPS 140-2 approved cryptographic hash algorithms." 1121 | echo "" 1122 | echo "Enter 0 to skip this STIG and continue to the next." 1123 | echo "Enter 1 to run the CHECK." 1124 | echo "Enter 2 to find out how to execute the FIX." 1125 | echo "Enter 3 to exit this script." 1126 | selection= 1127 | until [ "$selection" = "0" ]; do 1128 | echo "" 1129 | echo -n "Enter your selection: " 1130 | echo "" 1131 | read selection 1132 | case $selection in 1133 | 1 ) cat /etc/sshd_config | grep MACs ; exit_status ;; 1134 | 2 ) echo "[FIX] If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding." ; echo "Edit the SSH daemon configuration "ssh_config" and remove any MACs other than "hmac-sha1"." ;; 1135 | 3 ) exit ;; 1136 | esac 1137 | done 1138 | 1139 | echo "---------------------------" 1140 | echo "[STIG ID] SV-39371r1_rule" 1141 | echo "---------------------------" 1142 | echo "" 1143 | echo "[CHECK] The SSH client must be configured to only use FIPS 140-2 approved ciphers." 1144 | echo "" 1145 | echo "Enter 0 to skip this STIG and continue to the next." 1146 | echo "Enter 1 to run the CHECK." 1147 | echo "Enter 2 to find out how to execute the FIX." 1148 | echo "Enter 3 to exit this script." 1149 | selection= 1150 | until [ "$selection" = "0" ]; do 1151 | echo "" 1152 | echo -n "Enter your selection: " 1153 | echo "" 1154 | read selection 1155 | case $selection in 1156 | 1 ) cat /etc/ssh_config | grep Ciphers ; exit_status ;; 1157 | 2 ) echo "[FIX] If no lines are returned, or the returned ciphers list contains any cipher not starting with "3des" or "aes", this is a finding." ; echo "Edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers not starting with "3des" or "aes"." ;; 1158 | 3 ) exit ;; 1159 | esac 1160 | done 1161 | 1162 | echo "---------------------------" 1163 | echo "[STIG ID] SV-39374r1_rule" 1164 | echo "---------------------------" 1165 | echo "" 1166 | echo "[CHECK] The SSH client must be configured to not use CBC-based ciphers." 1167 | echo "" 1168 | echo "Enter 0 to skip this STIG and continue to the next." 1169 | echo "Enter 1 to run the CHECK." 1170 | echo "Enter 2 to find out how to execute the FIX." 1171 | echo "Enter 3 to exit this script." 1172 | selection= 1173 | until [ "$selection" = "0" ]; do 1174 | echo "" 1175 | echo -n "Enter your selection: " 1176 | echo "" 1177 | read selection 1178 | case $selection in 1179 | 1 ) cat /etc/ssh_config | grep cbc ; exit_status ;; 1180 | 2 ) echo "[FIX] If no lines are returned, or the returned ciphers list contains any cipher ending with "cbc", this is a finding." ; echo "Edit the SSH client configuration file "/etc/ssh_config" and remove any ciphers ending with "cbc"." ;; 1181 | 3 ) exit ;; 1182 | esac 1183 | done 1184 | 1185 | echo "---------------------------" 1186 | echo "[STIG ID] SV-39376r1_rule" 1187 | echo "---------------------------" 1188 | echo "" 1189 | echo "[CHECK] The SSH client must be configured to only use Message Authentication Codes [MACs] that employ FIPS 140-2 approved cryptographic hash algorithms." 1190 | echo "" 1191 | echo "Enter 0 to skip this STIG and continue to the next." 1192 | echo "Enter 1 to run the CHECK." 1193 | echo "Enter 2 to find out how to execute the FIX." 1194 | echo "Enter 3 to exit this script." 1195 | selection= 1196 | until [ "$selection" = "0" ]; do 1197 | echo "" 1198 | echo -n "Enter your selection: " 1199 | echo "" 1200 | read selection 1201 | case $selection in 1202 | 1 ) cat /etc/ssh_config | grep hmac-sha1 ; exit_status ;; 1203 | 2 ) echo "[FIX] If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding." ; echo "Edit the SSH client configuration file "/etc/ssh_config" and remove any MACs other than "hmac-sha1"." ;; 1204 | 3 ) exit ;; 1205 | esac 1206 | done 1207 | 1208 | echo "---------------------------" 1209 | echo "[STIG ID] SV-38186r1_rule" 1210 | echo "---------------------------" 1211 | echo "" 1212 | echo "[CHECK] IP forwarding for IPv4 must not be enabled, unless the system is a router." 1213 | echo "" 1214 | echo "Enter 0 to skip this STIG and continue to the next." 1215 | echo "Enter 1 to run the CHECK." 1216 | echo "Enter 2 to find out how to execute the FIX." 1217 | echo "Enter 3 to exit this script." 1218 | selection= 1219 | until [ "$selection" = "0" ]; do 1220 | echo "" 1221 | echo -n "Enter your selection: " 1222 | echo "" 1223 | read selection 1224 | case $selection in 1225 | 1 ) sysctl -a | grep net.inet.ip.fw.enable ; exit_status ;; 1226 | 2 ) echo "[FIX] If the value of "net.inet.ip.fw.enable" is not set to "0", this is a finding." ; echo "Edit the sysctl file, and set the "net.inet.ip.fw.enable" parameter to "0"." ; echo "sysctl -w net.inet.ip.fw.enable=0" ;; 1227 | 3 ) exit ;; 1228 | esac 1229 | done 1230 | 1231 | echo "---------------------------" 1232 | echo "[STIG ID] SV-38158r1_rule" 1233 | echo "---------------------------" 1234 | echo "" 1235 | echo "[CHECK] The nosuid option must be enabled on all NFS client mounts." 1236 | echo "[NOTE] /etc/fstab does not exist in OS X. /etc/fstab.hd exists, but outputs not to depend on this file or its contents." 1237 | echo "" 1238 | echo "Enter 0 to skip this STIG and continue to the next." 1239 | echo "Enter 1 to run the CHECK." 1240 | echo "Enter 2 to find out how to execute the FIX." 1241 | echo "Enter 3 to exit this script." 1242 | selection= 1243 | until [ "$selection" = "0" ]; do 1244 | echo "" 1245 | echo -n "Enter your selection: " 1246 | echo "" 1247 | read selection 1248 | case $selection in 1249 | 1 ) mount -v | grep "type nfs" | egrep -v "nosuid" ; exit_status ;; 1250 | 2 ) echo "[FIX] If the mounted file systems do not have the "nosuid" option, this is a finding." ; echo "Edit /etc/fstab, and add the "nosuid" option for all NFS file systems. Remount the NFS file systems to make the change take effect." ;; 1251 | 3 ) exit ;; 1252 | esac 1253 | done 1254 | 1255 | echo "---------------------------" 1256 | echo "[STIG ID] SV-39379r1_rule" 1257 | echo "---------------------------" 1258 | echo "" 1259 | echo "[CHECK] If the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked." 1260 | echo "" 1261 | echo "Enter 0 to skip this STIG and continue to the next." 1262 | echo "Enter 1 to run the CHECK." 1263 | echo "Enter 2 to find out how to execute the FIX." 1264 | echo "Enter 3 to exit this script." 1265 | selection= 1266 | until [ "$selection" = "0" ]; do 1267 | echo "" 1268 | echo -n "Enter your selection: " 1269 | echo "" 1270 | read selection 1271 | case $selection in 1272 | 1 ) grep -v '^#' /etc/nsswitch.conf | grep ldap ; exit_status ; echo "If no lines are returned, this vulnerability is not applicable. To verify the NSS LDAP client is configured to check certificates against a certificate revocation list, enter the following command:" ; echo "rep -i '^tls_crlcheck' /etc/ldap.conf" ;; 1273 | 2 ) echo "[FIX] If the setting does not exist, or the value is not "all", this is a finding." ; echo "Edit the "/etc/ldap.conf" file and add or set the "tls_crlcheck" setting to "all"." ;; 1274 | 3 ) exit ;; 1275 | esac 1276 | done 1277 | 1278 | echo "---------------------------" 1279 | echo "[STIG ID] SV-39384r1_rule" 1280 | echo "---------------------------" 1281 | echo "" 1282 | echo "[CHECK] The system's local firewall must implement a deny-all, allow-by-exception policy." 1283 | echo "" 1284 | echo "Enter 0 to skip this STIG and continue to the next." 1285 | echo "Enter 1 to find out how to execute the FIX." 1286 | echo "Enter 2 to exit this script." 1287 | selection= 1288 | until [ "$selection" = "0" ]; do 1289 | echo "" 1290 | echo -n "Enter your selection: " 1291 | echo "" 1292 | read selection 1293 | case $selection in 1294 | 1 ) echo "[FIX] Determine if the system's local firewall implements a deny-all, allow-by-exception policy. If it does not, this is a finding." ; echo "Configure the system's local firewall to implement a deny-all, allow-by-exception policy." ;; 1295 | 2 ) exit ;; 1296 | 1297 | esac 1298 | done 1299 | 1300 | echo "---------------------------" 1301 | echo "[STIG ID] SV-37149r1_rule" 1302 | echo "---------------------------" 1303 | echo "" 1304 | echo "[CHECK] Unnecessary packages must not be installed." 1305 | echo "" 1306 | echo "Enter 0 to skip this STIG and continue to the next." 1307 | echo "Enter 1 to run the CHECK." 1308 | echo "Enter 2 to find out how to execute the FIX." 1309 | echo "Enter 3 to exit this script." 1310 | selection= 1311 | until [ "$selection" = "0" ]; do 1312 | echo "" 1313 | echo -n "Enter your selection: " 1314 | echo "" 1315 | read selection 1316 | case $selection in 1317 | 1 ) pkgutil / --pkgs ; exit_status ;; 1318 | 2 ) echo "[FIX] Review the packages installed, determine if the installed packages are needed. If not, then this is a finding." ; echo "Determine if the installed packages are needed. If not, verify any dependencies and use the rm command to remove them." ;; 1319 | 3 ) exit ;; 1320 | esac 1321 | done 1322 | 1323 | echo "---------------------------" 1324 | echo "[STIG ID] SV-37153r1_rule" 1325 | echo "---------------------------" 1326 | echo "" 1327 | echo "[CHECK] Administrator accounts must be created with difficult-to-guess names." 1328 | echo "" 1329 | echo "Enter 0 to skip this STIG and continue to the next." 1330 | echo "Enter 1 to find out how to execute the FIX." 1331 | echo "Enter 2 to exit this script." 1332 | selection= 1333 | until [ "$selection" = "0" ]; do 1334 | echo "" 1335 | echo -n "Enter your selection: " 1336 | echo "" 1337 | read selection 1338 | case $selection in 1339 | 1 ) echo "1. Select Finder." ; echo "2. Select Applications." ; echo "3. Select System Preferences." ; echo "4. Select Accounts. " ; echo "[FIX] Verify there are no easy to guess administrator account names. If any accounts have easy to guess names, this is a finding." ; echo "Rename or recreate accounts with difficult-to-guess names." ;; 1340 | 2 ) exit ;; 1341 | 1342 | esac 1343 | done 1344 | 1345 | echo "---------------------------" 1346 | echo "[STIG ID] SV-37190r1_rule" 1347 | echo "---------------------------" 1348 | echo "" 1349 | echo "[CHECK] All application software must be current." 1350 | echo "" 1351 | echo "Enter 0 to skip this STIG and continue to the next." 1352 | echo "Enter 1 to run the CHECK." 1353 | echo "Enter 2 to find out how to execute the FIX." 1354 | echo "Enter 3 to exit this script." 1355 | selection= 1356 | until [ "$selection" = "0" ]; do 1357 | echo "" 1358 | echo -n "Enter your selection: " 1359 | echo "" 1360 | read selection 1361 | case $selection in 1362 | 1 ) echo "[FIX] Review the result for proper versions and current patch level." ; echo "[NOTE] This check does not show third party software or updates." ; echo "[NOTE] Do not enable Automatic Updating as this will conflict with V-25298." ; exit_status ;; 1363 | 2 ) softwareupdate --list or softwareupdate --list --all ;; 1364 | 3 ) exit ;; 1365 | esac 1366 | done 1367 | 1368 | echo "---------------------------" 1369 | echo "[STIG ID] SV-37208r1_rule" 1370 | echo "---------------------------" 1371 | echo "" 1372 | echo "[CHECK] POSIX access permissions must be assigned based on user categories." 1373 | echo "" 1374 | echo "Enter 0 to skip this STIG and continue to the next." 1375 | echo "Enter 1 to run the CHECK." 1376 | echo "Enter 2 to find out how to execute the FIX." 1377 | echo "Enter 3 to exit this script." 1378 | selection= 1379 | until [ "$selection" = "0" ]; do 1380 | echo "" 1381 | echo -n "Enter your selection: " 1382 | echo "" 1383 | read selection 1384 | case $selection in 1385 | 1 ) ls -ls /Users ; exit_status ;; 1386 | 2 ) echo "[FIX] If permissions are not set to 700, this is a finding." ; echo "chmod 700 /Users/* " ; echo "[NOTE] Changing permissions on a user's home directory from 750 to 700 will disable Apple file sharing. User's home directory POSIX permissions should be set to 700." ;; 1387 | 3 ) exit ;; 1388 | esac 1389 | done 1390 | 1391 | echo "---------------------------" 1392 | echo "[STIG ID] SV-38521r1_rule" 1393 | echo "---------------------------" 1394 | echo "" 1395 | echo "[CHECK] Security auditing must be configured." 1396 | echo "" 1397 | echo "Enter 0 to skip this STIG and continue to the next." 1398 | echo "Enter 1 to run the CHECK." 1399 | echo "Enter 2 to find out how to execute the FIX." 1400 | echo "Enter 3 to exit this script." 1401 | selection= 1402 | until [ "$selection" = "0" ]; do 1403 | echo "" 1404 | echo -n "Enter your selection: " 1405 | echo "" 1406 | read selection 1407 | case $selection in 1408 | 1 ) cat /etc/security/audit_control | grep flags: ; exit_status ;; 1409 | 2 ) echo "[FIX] Ensure the line includes the following: flags: lo,ad,-all,-fr,fd,fm,^-fa,^-fc,^-cl. If the file does not contain appropriate flags, this is a finding." ;; 1410 | 3 ) exit ;; 1411 | esac 1412 | done 1413 | 1414 | echo "---------------------------" 1415 | echo "[STIG ID] SV-38522r1_rule" 1416 | echo "---------------------------" 1417 | echo "" 1418 | echo "[CHECK] Local logging must be enabled." 1419 | echo "" 1420 | echo "Enter 0 to skip this STIG and continue to the next." 1421 | echo "Enter 1 to find out how to CHECK this STIG & execute the FIX." 1422 | echo "Enter 2 to exit this script." 1423 | selection= 1424 | until [ "$selection" = "0" ]; do 1425 | echo "" 1426 | echo -n "Enter your selection: " 1427 | echo "" 1428 | read selection 1429 | case $selection in 1430 | 1 ) echo "pico /etc/newsyslog.conf" ; echo "[FIX] If the count values are not set to 14, this is a finding." ; echo "pico /etc/newsyslog.conf" ; echo "Set all 'count' values to 14" ;; 1431 | 2 ) exit ;; 1432 | 1433 | esac 1434 | done 1435 | 1436 | echo "---------------------------" 1437 | echo "[STIG ID] SV-38525r1_rule" 1438 | echo "---------------------------" 1439 | echo "" 1440 | echo "[CHECK] Prevent root login must be securely configured in /etc/sshd_config." 1441 | echo "" 1442 | echo "Enter 0 to skip this STIG and continue to the next." 1443 | echo "Enter 1 to run the CHECK." 1444 | echo "Enter 2 to find out how to execute the FIX." 1445 | echo "Enter 3 to exit this script." 1446 | selection= 1447 | until [ "$selection" = "0" ]; do 1448 | echo "" 1449 | echo -n "Enter your selection: " 1450 | echo "" 1451 | read selection 1452 | case $selection in 1453 | 1 ) cat /etc/sshd_config | grep PermitRootLogin ; exit_status ;; 1454 | 2 ) echo "[FIX] Ensure the value "PermitRootLogin" is set to "No". If the value "PermitRootLogin" is not set to "No", this is a finding. However, be advised this STIG will foil your Retina scans." ; echo "Edit the value "PermitRootLogin" and set it to "No"." ; echo "pico /etc/sshd_config" ;; 1455 | 3 ) exit ;; 1456 | esac 1457 | done 1458 | 1459 | echo "---------------------------" 1460 | echo "[STIG ID] SV-38526r1_rule" 1461 | echo "---------------------------" 1462 | echo "" 1463 | echo "[CHECK] Login Grace Time must be securely configured in /etc/sshd_config." 1464 | echo "" 1465 | echo "Enter 0 to skip this STIG and continue to the next." 1466 | echo "Enter 1 to run the CHECK." 1467 | echo "Enter 2 to find out how to execute the FIX." 1468 | echo "Enter 3 to exit this script." 1469 | selection= 1470 | until [ "$selection" = "0" ]; do 1471 | echo "" 1472 | echo -n "Enter your selection: " 1473 | echo "" 1474 | read selection 1475 | case $selection in 1476 | 1 ) cat /etc/sshd_config | grep LoginGraceTime ; exit_status ;; 1477 | 2 ) echo "[FIX] Ensure the value "LoginGraceTime" is set to 30 or less. If the value "LoginGraceTime" is not set to 30 or less, this is a finding." ; echo "Edit the value: LoginGraceTime to 30." ; echo "pico /etc/sshd_config" ;; 1478 | 3 ) exit ;; 1479 | esac 1480 | done 1481 | 1482 | echo "---------------------------" 1483 | echo "[STIG ID] SV-37209r1_rule" 1484 | echo "---------------------------" 1485 | echo "" 1486 | echo "[CHECK] /etc/sshd_config - Protocol version must be securely configured." 1487 | echo "" 1488 | echo "Enter 0 to skip this STIG and continue to the next." 1489 | echo "Enter 1 to run the CHECK." 1490 | echo "Enter 2 to find out how to execute the FIX." 1491 | echo "Enter 3 to exit this script." 1492 | selection= 1493 | until [ "$selection" = "0" ]; do 1494 | echo "" 1495 | echo -n "Enter your selection: " 1496 | echo "" 1497 | read selection 1498 | case $selection in 1499 | 1 ) cat /etc/sshd_config | grep Protocol ; exit_status ;; 1500 | 2 ) echo "[FIX] Ensure the value Protocol is set to "2". If the value Protocol is not set to "2", this is a finding." ; echo "Edit the value: Protocol to "2"." ; echo "pico /etc/sshd_config" ;; 1501 | 3 ) exit ;; 1502 | esac 1503 | done 1504 | 1505 | echo "---------------------------" 1506 | echo "[STIG ID] SV-38528r1_rule" 1507 | echo "---------------------------" 1508 | echo "" 1509 | echo "[CHECK] The Software Update Server URL must be assigned to an organizational value." 1510 | echo "" 1511 | echo "Enter 0 to skip this STIG and continue to the next." 1512 | echo "Enter 1 to run the CHECK." 1513 | echo "Enter 2 to find out how to execute the FIX." 1514 | echo "Enter 3 to exit this script." 1515 | selection= 1516 | until [ "$selection" = "0" ]; do 1517 | echo "" 1518 | echo -n "Enter your selection: " 1519 | echo "" 1520 | read selection 1521 | case $selection in 1522 | 1 ) defaults read com.apple.SoftwareUpdate CatalogURL ; exit_status ;; 1523 | 2 ) echo "[FIX] The value returned is the current Software Update Server. Verify it is an approved SUS. If no value is returned, the system is using a default Apple Update Server and this is a finding." ; echo "defaults write com.apple.SoftwareUpdate CatalogURL 'new_SUS_URL'" ;; 1524 | 3 ) exit ;; 1525 | esac 1526 | done 1527 | 1528 | echo "---------------------------" 1529 | echo "[STIG ID] SV-37214r1_rule" 1530 | echo "---------------------------" 1531 | echo "" 1532 | echo "[CHECK] The ability for administrative accounts to unlock Screen Saver must be disabled." 1533 | echo "" 1534 | echo "Enter 0 to skip this STIG and continue to the next." 1535 | echo "Enter 1 to run the CHECK." 1536 | echo "Enter 2 to find out how to execute the FIX." 1537 | echo "Enter 3 to exit this script." 1538 | selection= 1539 | until [ "$selection" = "0" ]; do 1540 | echo "" 1541 | echo -n "Enter your selection: " 1542 | echo "" 1543 | read selection 1544 | case $selection in 1545 | 1 ) cat /etc/authorization | grep -A 10 system.login.screensaver ; exit_status ;; 1546 | 2 ) echo "[FIX] Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, this is a finding." ; echo "pico /etc/authorization" ; echo "^ W authenticate-session-owner-or-admin" ; echo "Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key." ;; 1547 | 3 ) exit ;; 1548 | esac 1549 | done 1550 | 1551 | echo "---------------------------" 1552 | echo "[STIG ID] SV-38569r1_rule" 1553 | echo "---------------------------" 1554 | echo "" 1555 | echo "[CHECK] The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched." 1556 | echo "[NOTE] Extraneous due to SV-37190r1_rule, no need to run this." 1557 | echo "" 1558 | echo "Enter 0 to skip this STIG and continue to the next." 1559 | echo "Enter 1 to run the CHECK." 1560 | echo "Enter 2 to find out how to execute the FIX." 1561 | echo "Enter 3 to exit this script." 1562 | selection= 1563 | until [ "$selection" = "0" ]; do 1564 | echo "" 1565 | echo -n "Enter your selection: " 1566 | echo "" 1567 | read selection 1568 | case $selection in 1569 | 1 ) sudo softwareupdate --list --all ; exit_status ;; 1570 | 2 ) echo "[FIX] Review the results and verify the system is at the current release level. If not, this is a finding." ; echo "Install the current OS updates and patches." ;; 1571 | 3 ) exit ;; 1572 | esac 1573 | done 1574 | 1575 | 1576 | echo "--------------------------------------------------------" 1577 | echo "The following semi-automated tasks have different" 1578 | echo "Executions depending on whether the system is 'managed'" 1579 | echo "or not. If you don't know what this means, then you should" 1580 | echo "probably select 'unmanaged' for each of these." 1581 | echo "--------------------------------------------------------" 1582 | 1583 | echo "---------------------------" 1584 | echo "[STIG ID] SV-37158r1_rule" 1585 | echo "---------------------------" 1586 | echo "" 1587 | echo "[CHECK] A maximum password age must be set." 1588 | echo "" 1589 | echo "Enter 0 to skip this STIG and continue to the next." 1590 | echo "" 1591 | echo "Enter 1 to run the CHECK for a MANAGED system." 1592 | echo "Enter 2 to execute the FIX for a MANAGED system." 1593 | echo "" 1594 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1595 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1596 | echo "" 1597 | echo "Enter 5 to exit this script." 1598 | selection= 1599 | until [ "$selection" = "0" ]; do 1600 | echo "" 1601 | echo -n "Enter your selection: " 1602 | echo "" 1603 | read selection 1604 | case $selection in 1605 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword ; exit_status ; echo "[FIX] If the value of "maxMinutesUntilChangePassword" is greater than 86400, this is a finding." ;; 1606 | 2 ) pwpolicy -n -setglobalpolicy "maxMinutesUntilChangePassword=86400" ; exit_status ;; 1607 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxMinutesUntilChangePassword ; exit_status ; echo "[FIX] If the value of "maxMinutesUntilChangePassword" is greater than 86400, this is a finding." ;; 1608 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=86400" ;; 1609 | 5 ) exit ;; 1610 | esac 1611 | done 1612 | 1613 | echo "---------------------------" 1614 | echo "[STIG ID] SV-37166r1_rule" 1615 | echo "---------------------------" 1616 | echo "" 1617 | echo "[CHECK] A minimum password age must be set." 1618 | echo "" 1619 | echo "Enter 0 to skip this STIG and continue to the next." 1620 | echo "" 1621 | echo "Enter 1 to run the CHECK for a MANAGED system." 1622 | echo "Enter 2 to execute the FIX for a MANAGED system." 1623 | echo "" 1624 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1625 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1626 | echo "" 1627 | echo "Enter 5 to exit this script." 1628 | selection= 1629 | until [ "$selection" = "0" ]; do 1630 | echo "" 1631 | echo -n "Enter your selection: " 1632 | echo "" 1633 | read selection 1634 | case $selection in 1635 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword ; exit_status ; echo "[FIX] If the value of "minMinutesUntilChangePassword" is less than 1440, this is a finding." ;; 1636 | 2 ) pwpolicy -n -setglobalpolicy "minMinutesUntilChangePassword=1440" ; exit_status ;; 1637 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minMinutesUntilChangePassword ; exit_status ; echo "[FIX] If the value of "minMinutesUntilChangePassword" is less than 1440, this is a finding." ;; 1638 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "minMinutesUntilChangePassword=1440" ; exit_status ;; 1639 | 5 ) exit ;; 1640 | esac 1641 | done 1642 | 1643 | echo "---------------------------" 1644 | echo "[STIG ID] SV-37172r1_rule" 1645 | echo "---------------------------" 1646 | echo "" 1647 | echo "[CHECK] A minimum password length must be set." 1648 | echo "" 1649 | echo "Enter 0 to skip this STIG and continue to the next." 1650 | echo "" 1651 | echo "Enter 1 to run the CHECK for a MANAGED system." 1652 | echo "Enter 2 to execute the FIX for a MANAGED system." 1653 | echo "" 1654 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1655 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1656 | echo "" 1657 | echo "Enter 5 to exit this script." 1658 | selection= 1659 | until [ "$selection" = "0" ]; do 1660 | echo "" 1661 | echo -n "Enter your selection: " 1662 | echo "" 1663 | read selection 1664 | case $selection in 1665 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minChars ; exit_status ; echo "[FIX] If the value of minChars is less than 15, then this is a finding." ;; 1666 | 2 ) pwpolicy -n -setglobalpolicy "minChars=15" ; exit_status;; 1667 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minChars ; exit_status ; echo "[FIX] If the value of minChars is less than 15, then this is a finding." ;; 1668 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "minChars=15" ; exit_status ;; 1669 | 5 ) exit ;; 1670 | esac 1671 | done 1672 | 1673 | echo "---------------------------" 1674 | echo "[STIG ID] SV-38603r1_rule" 1675 | echo "---------------------------" 1676 | echo "" 1677 | echo "[CHECK] Complex passwords must contain Alphabetic Character." 1678 | echo "" 1679 | echo "Enter 0 to skip this STIG and continue to the next." 1680 | echo "" 1681 | echo "Enter 1 to run the CHECK for a MANAGED system." 1682 | echo "Enter 2 to execute the FIX for a MANAGED system." 1683 | echo "" 1684 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1685 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1686 | echo "" 1687 | echo "Enter 5 to exit this script." 1688 | selection= 1689 | until [ "$selection" = "0" ]; do 1690 | echo "" 1691 | echo -n "Enter your selection: " 1692 | echo "" 1693 | read selection 1694 | case $selection in 1695 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep requiresAlpha ; exit_status ; echo "[FIX] If the value of requiresAlpha is not set to 1, this is a finding." ;; 1696 | 2 ) pwpolicy -n - setglobalpolicy "requiresAlpha=1" ; exit_status ;; 1697 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresAlpha ; exit_status ; echo "[FIX] If the value of requiresAlpha is not set to 1, this is a finding." ;; 1698 | 4 ) pwpolicy -n /Local/Default - setglobalpolicy "requiresAlpha=1" ; exit_status ;; 1699 | 5 ) exit ;; 1700 | esac 1701 | done 1702 | 1703 | echo "---------------------------" 1704 | echo "[STIG ID] SV-38607r1_rule" 1705 | echo "---------------------------" 1706 | echo "" 1707 | echo "[CHECK] Complex passwords must contain Symbolic Character." 1708 | echo "" 1709 | echo "Enter 0 to skip this STIG and continue to the next." 1710 | echo "" 1711 | echo "Enter 1 to run the CHECK for a MANAGED system." 1712 | echo "Enter 2 to execute the FIX for a MANAGED system." 1713 | echo "" 1714 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1715 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1716 | echo "" 1717 | echo "Enter 5 to exit this script." 1718 | selection= 1719 | until [ "$selection" = "0" ]; do 1720 | echo "" 1721 | echo -n "Enter your selection: " 1722 | echo "" 1723 | read selection 1724 | case $selection in 1725 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep requiresSymbol ; exit_status ; echo "[FIX] If the value of requireSymbol is not set to 1, this is a finding." ;; 1726 | 2 ) pwpolicy -n - setglobalpolicy "requiresSymbol=1" ; exit_status ;; 1727 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep requiresSymbol ; exit_status echo "[FIX] If the value of requireSymbol is not set to 1, this is a finding." ;; 1728 | 4 ) pwpolicy -n /Local/Default - setglobalpolicy "requiresSymbol=1" ; exit_status ;; 1729 | 5 ) exit ;; 1730 | esac 1731 | done 1732 | 1733 | echo "---------------------------" 1734 | echo "[STIG ID] SV-37177r1_rule" 1735 | echo "---------------------------" 1736 | echo "" 1737 | echo "[CHECK] Newly created password content must be checked." 1738 | echo "" 1739 | echo "Enter 0 to skip this STIG and continue to the next." 1740 | echo "" 1741 | echo "Enter 1 to run the CHECK for a MANAGED system." 1742 | echo "Enter 2 to execute the FIX for a MANAGED system." 1743 | echo "" 1744 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1745 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1746 | echo "" 1747 | echo "Enter 5 to exit this script." 1748 | selection= 1749 | until [ "$selection" = "0" ]; do 1750 | echo "" 1751 | echo -n "Enter your selection: " 1752 | echo "" 1753 | read selection 1754 | case $selection in 1755 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName ; exit_status ; echo "[FIX] If the value of "passwordCannotBeName" is not equal to "1", this is a finding." ;; 1756 | 2 ) pwpolicy -n -setglobalpolicy "passwordCannotBeName=1" ; exit_status ;; 1757 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep passwordCannotBeName ; exit_status ; echo "[FIX] If the value of "passwordCannotBeName" is not equal to "1", this is a finding." ;; 1758 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "passwordCannotBeName=1" ; exit_status ;; 1759 | 5 ) exit ;; 1760 | esac 1761 | done 1762 | 1763 | echo "---------------------------" 1764 | echo "[STIG ID] SV-37184r1_rule" 1765 | echo "---------------------------" 1766 | echo "" 1767 | echo "[CHECK] Account lockout duration must be properly configured." 1768 | echo "" 1769 | echo "Enter 0 to skip this STIG and continue to the next." 1770 | echo "" 1771 | echo "Enter 1 to run the CHECK for a MANAGED system." 1772 | echo "Enter 2 to execute the FIX for a MANAGED system." 1773 | echo "" 1774 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1775 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1776 | echo "" 1777 | echo "Enter 5 to exit this script." 1778 | selection= 1779 | until [ "$selection" = "0" ]; do 1780 | echo "" 1781 | echo -n "Enter your selection: " 1782 | echo "" 1783 | read selection 1784 | case $selection in 1785 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset ; echo "[FIX] If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding." ; exit_status ;; 1786 | 2 ) pwpolicy -n -setglobalpolicy "minutesUntilFailedLoginReset=0" ; exit_status ;; 1787 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep minutesUntilFailedLoginReset ; exit_status ; echo "[FIX] If the value of "minutesUntilFailedLoginReset" is greater than "0", this is a finding." ;; 1788 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "minutesUntilFailedLoginReset=0" ; exit_status ;; 1789 | 5 ) exit ;; 1790 | esac 1791 | done 1792 | 1793 | echo "---------------------------" 1794 | echo "[STIG ID] SV-37186r1_rule" 1795 | echo "---------------------------" 1796 | echo "" 1797 | echo "[CHECK] Account lockout threshold must be properly configured." 1798 | echo "" 1799 | echo "Enter 0 to skip this STIG and continue to the next." 1800 | echo "" 1801 | echo "Enter 1 to run the CHECK for a MANAGED system." 1802 | echo "Enter 2 to execute the FIX for a MANAGED system." 1803 | echo "" 1804 | echo "Enter 3 to run the CHECK for an UNMANAGED system." 1805 | echo "Enter 4 to execute the FIX for an UNMANAGED system." 1806 | echo "" 1807 | echo "Enter 5 to exit this script." 1808 | selection= 1809 | until [ "$selection" = "0" ]; do 1810 | echo "" 1811 | echo -n "Enter your selection: " 1812 | echo "" 1813 | read selection 1814 | case $selection in 1815 | 1 ) pwpolicy -n -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts ; exit_status ; echo "[FIX] If the value of "maxFailedLoginAttempts" is more than "3", this is a finding." ;; 1816 | 2 ) pwpolicy -n -setglobalpolicy "maxFailedLoginAttempts=3" ; exit_status ;; 1817 | 3 ) pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep maxFailedLoginAttempts ; exit_status ; echo "[FIX] If the value of "maxFailedLoginAttempts" is more than "3", this is a finding." ;; 1818 | 4 ) pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttempts=3" ; exit_status ;; 1819 | 5 ) exit ;; 1820 | esac 1821 | done 1822 | 1823 | echo "--------------------------------------------------------" 1824 | echo "" 1825 | echo "Done. I'm now taking you back to the menu." 1826 | echo "When you get there, select option 3 to continue!" 1827 | press_enter 1828 | echo "--------------------------------------------------------" 1829 | exec ./script.sh 2>&1 | tee script.$TODAYSDATE.log 1830 | 1831 | # END PART 2 1832 | -------------------------------------------------------------------------------- /bin/part3.sh: -------------------------------------------------------------------------------- 1 | # PART 3 BEGIN 2 | 3 | function press_enter 4 | { 5 | echo "" 6 | echo -n "Press Return to continue" 7 | read 8 | } 9 | 10 | function exit_status 11 | { 12 | export OUT=$? 13 | if [ $OUT -eq 0 ]; then 14 | echo "[OK] Exit status was $OUT" 15 | else 16 | echo "[ERROR] Something might have gone wrong. Exit status was $OUT" 17 | fi 18 | } 19 | 20 | TODAYSDATE=`date +%d-%b-%Y.%H%M` 21 | 22 | echo "" 23 | echo "--------------------------------------------------------" 24 | echo "Let's work on the GUI-driven manual tasks next." 25 | echo "You'll need to do even more work for these… Sorry!" 26 | echo "Protip: Keep menus open, as many of these STIGs rely" 27 | echo "on modifying settings that coexist in similar places." 28 | echo "" 29 | read -p "If you're ready to continue, hit 'Return'." 30 | echo "--------------------------------------------------------" 31 | echo "" 32 | 33 | 34 | echo "---------------------------" 35 | echo "[STIG ID] SV-38509r1_rule" 36 | echo "---------------------------" 37 | echo "" 38 | echo "[CHECK] Audio recording support software must be disabled." 39 | echo " 1. Open System Preferences -- Sound. " 40 | echo " 2. Select internal microphone and ensure "Input Volume" is set to "0"." 41 | echo " 3. Select Line-In [if present] and ensure "Input Volume" is set to "0"." 42 | echo "[FIX] Select Display Audio and ensure "USB" is set to "0". If any of the parameters are not set to "0", this is a finding." 43 | echo "rm -rf /System/Library/Extensions/AppleOnboardAudio.kext" 44 | echo "rm -rf /System/Library/Extensions/AppleUSBAudio.kext" 45 | echo "rm -rf /System/Library/Extensions/AppleDeviceTreeUpdater.kext" 46 | echo "rm -rf /System/Library/Extensions/IOAudioFamily.kext" 47 | echo "rm -rf /System/Library/Extensions/VirtualAudioDriver.kext" 48 | echo "touch /System/Library/Extensions" 49 | echo "" 50 | echo "Enter 0 to skip this STIG/continue to the next." 51 | echo "Enter 1 to exit this script." 52 | selection= 53 | until [ "$selection" = "0" ]; do 54 | echo "" 55 | echo -n "Enter your selection: " 56 | echo "" 57 | read selection 58 | case $selection in 59 | 1 ) exit ;; 60 | esac 61 | done 62 | 63 | echo "---------------------------" 64 | echo "[STIG ID] SV-37201r1_rule" 65 | echo "---------------------------" 66 | echo "" 67 | echo "[CHECK] Video recording support software must be disabled." 68 | echo " 1. Open the /System/Library/Extensions folder. " 69 | echo "[FIX] Ensure the following file does NOT exist: Apple_iSight.kext" 70 | echo " 1. Control click the IOUSBFamily.kext and select Show Package Contents." 71 | echo " 2. Open the /Contents/PlugIns/ folder." 72 | echo "[FIX] Ensure the following file does NOT exist: AppleUSBVideoSupport.kext" 73 | echo "rm -rf /System/Library/Extensions/Apple_iSight.kext" 74 | echo "rm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/Plugins/AppleUSBVideoSupport.kext" 75 | echo "touch /System/Library/Extensions" 76 | echo "" 77 | echo "[NOTE] The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files [located in /System/Library/] are deleted and rebuilt by Mac OS X." 78 | echo "" 79 | echo "Enter 0 to skip this STIG/continue to the next." 80 | echo "Enter 1 to exit this script." 81 | selection= 82 | until [ "$selection" = "0" ]; do 83 | echo "" 84 | echo -n "Enter your selection: " 85 | echo "" 86 | read selection 87 | case $selection in 88 | 1 ) exit ;; 89 | esac 90 | done 91 | 92 | echo "---------------------------" 93 | echo "[STIG ID] SV-38510r1_rule" 94 | echo "---------------------------" 95 | echo "" 96 | echo "[CHECK] Open Firmware or EFI password must be present." 97 | echo " 1. Log in with an administrator account and open the Firmware Password Utility [located on the Mac OS X installation disc in /Applications/Utilities/]." 98 | echo "[FIX] Verify the "Require password to change Open Firmware settings" is selected." 99 | echo " 1. Log in with an administrator account and open the Firmware Password Utility [located on the Mac OS X installation disc in /Applications/Utilities/]." 100 | echo " 2. Click Change." 101 | echo " 3. Select "Require password to change Open Firmware settings"." 102 | echo " 4. In the Password and Verify fields, enter a new Open Firmware or EFI password, and click OK. This password can be up to eight characters. Do not use the capital letter "U" in an Open Firmware password. If you do, your password will not be recognized during the startup process." 103 | echo " 5. Close the Firmware Password Utility." 104 | echo "" 105 | echo "Enter 0 to skip this STIG/continue to the next." 106 | echo "Enter 1 to exit this script." 107 | selection= 108 | until [ "$selection" = "0" ]; do 109 | echo "" 110 | echo -n "Enter your selection: " 111 | echo "" 112 | read selection 113 | case $selection in 114 | 1 ) exit ;; 115 | 116 | esac 117 | done 118 | 119 | echo "---------------------------" 120 | echo "[STIG ID] SV-38514r1_rule" 121 | echo "---------------------------" 122 | echo "" 123 | echo "[CHECK] LDAPv3 access must be securely configure [if it is used]." 124 | echo " 1. Open Finder" 125 | echo " 2. Click the Hard Drive icon." 126 | echo " 3. Double Click System." 127 | echo " 4. Double Click Library." 128 | echo " 5. Double Click CoreServices." 129 | echo " 6. Double Click Directory Utility." 130 | echo " 7. Click the Show Advanced Options button." 131 | echo " 8. Click Services tab." 132 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 133 | echo " 10. Click the LDAPv3 service." 134 | echo " 11. Click the Pencil icon." 135 | echo " 12. Highlight the Server Name/Configuration Name." 136 | echo " 13. Click Edit." 137 | echo "[FIX] Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, this is a finding." 138 | echo " 1. Open Finder." 139 | echo " 2. Click the Hard Drive icon." 140 | echo " 3. Double Click System." 141 | echo " 4. Double Click Library." 142 | echo " 5. Double Click CoreServices." 143 | echo " 6. Double Click Directory Utility." 144 | echo " 7. Click the Show Advanced Options button." 145 | echo " 8. Click Services tab." 146 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 147 | echo " 10. Click the LDAPv3 service." 148 | echo " 11. Click the Pencil icon." 149 | echo " 12. Highlight the Server Name/Configuration Name." 150 | echo " 13. Click Edit." 151 | echo " 14. Click the Connection tab and select "Encrypt using SSL"." 152 | echo "" 153 | echo "Enter 0 to skip this STIG/continue to the next." 154 | echo "Enter 1 to exit this script." 155 | selection= 156 | until [ "$selection" = "0" ]; do 157 | echo "" 158 | echo -n "Enter your selection: " 159 | echo "" 160 | read selection 161 | case $selection in 162 | 1 ) exit ;; 163 | 164 | esac 165 | done 166 | 167 | echo "---------------------------" 168 | echo "[STIG ID] SV-38516r1_rule" 169 | echo "---------------------------" 170 | echo "" 171 | echo "[CHECK] LDAP Authentication must use authentication when connecting to LDAPv3." 172 | echo " 1. Open Finder." 173 | echo " 2. Click the Hard Drive icon." 174 | echo " 3. Double Click System." 175 | echo " 4. Double Click Library." 176 | echo " 5. Double Click CoreServices." 177 | echo " 6. Double Click Directory Utility." 178 | echo " 7. Click the Show Advanced Options button." 179 | echo " 8. Click Services tab." 180 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 181 | echo " 10. Click the LDAPv3 service." 182 | echo " 11. Click the Pencil icon." 183 | echo " 12. Highlight the Server Name/Configuration Name." 184 | echo " 13. Click Edit." 185 | echo "[FIX] Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, this is a finding." 186 | echo " 1. Open Finder." 187 | echo " 2. Click the Hard Drive icon." 188 | echo " 3. Double Click System." 189 | echo " 4. Double Click Library." 190 | echo " 5. Double Click CoreServices." 191 | echo " 6. Double Click Directory Utility." 192 | echo " 7. Click the Show Advanced Options button." 193 | echo " 8. Click Services tab." 194 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 195 | echo " 10. Click the LDAPv3 service." 196 | echo " 11. Click the Pencil icon." 197 | echo " 12. Highlight the Server Name/Configuration Name." 198 | echo " 13. Click Edit." 199 | echo " 14. Click on Security tab and select "Use authentication when connecting"." 200 | echo "" 201 | echo "Enter 0 to skip this STIG/continue to the next." 202 | echo "Enter 1 to exit this script." 203 | selection= 204 | until [ "$selection" = "0" ]; do 205 | echo "" 206 | echo -n "Enter your selection: " 207 | echo "" 208 | read selection 209 | case $selection in 210 | 1 ) exit ;; 211 | 212 | esac 213 | done 214 | 215 | echo "---------------------------" 216 | echo "[STIG ID] SV-38573r1_rule" 217 | echo "---------------------------" 218 | echo "" 219 | echo "[CHECK] Clear text passwords for all LDAPv3 directories must be disabled." 220 | echo " 1. Open Finder." 221 | echo " 2. Click the Hard Drive icon." 222 | echo " 3. Double Click System." 223 | echo " 4. Double Click Library." 224 | echo " 5. Double Click CoreServices." 225 | echo " 6. Double Click Directory Utility." 226 | echo " 7. Click the Show Advanced Options button." 227 | echo " 8. Click Services tab." 228 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 229 | echo " 10. Click the LDAPv3 service." 230 | echo " 11. Click the Pencil icon." 231 | echo " 12. Highlight the Server Name/Configuration Name." 232 | echo " 13. Click Edit." 233 | echo "[FIX] Click on Security tab and verify the "Disable clear text passwords" is checked. If the value is not checked, this is a finding." 234 | echo " 1. Open Finder." 235 | echo " 2. Click the Hard Drive icon." 236 | echo " 3. Double Click System." 237 | echo " 4. Double Click Library." 238 | echo " 5. Double Click CoreServices." 239 | echo " 6. Double Click Directory Utility." 240 | echo " 7. Click the Show Advanced Options button." 241 | echo " 8. Click Services tab." 242 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 243 | echo " 10. Click the LDAPv3 service." 244 | echo " 11. Click the Pencil icon." 245 | echo " 12. Highlight the Server Name/Configuration Name." 246 | echo " 13. Click Edit." 247 | echo " 14. Click the Security tab and select "Disable clear text passwords"." 248 | echo "" 249 | echo "Enter 0 to skip this STIG/continue to the next." 250 | echo "Enter 1 to exit this script." 251 | selection= 252 | until [ "$selection" = "0" ]; do 253 | echo "" 254 | echo -n "Enter your selection: " 255 | echo "" 256 | read selection 257 | case $selection in 258 | 1 ) exit ;; 259 | 260 | esac 261 | done 262 | 263 | echo "---------------------------" 264 | echo "[STIG ID] SV-38575r1_rule" 265 | echo "---------------------------" 266 | echo "" 267 | echo "[CHECK] All LDAPv3 packets must be digitally signed." 268 | echo " 1. Open Finder." 269 | echo " 2. Click the Hard Drive icon." 270 | echo " 3. Double Click System." 271 | echo " 4. Double Click Library." 272 | echo " 5. Double Click CoreServices." 273 | echo " 6. Double Click Directory Utility." 274 | echo " 7. Click the Show Advanced Options button." 275 | echo " 8. Click Services tab." 276 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 277 | echo " 10. Click the LDAPv3 service." 278 | echo " 11. Click the Pencil icon." 279 | echo " 12. Highlight the Server Name/Configuration Name." 280 | echo " 13. Click Edit." 281 | echo "[FIX] Click on Security tab and verify the "Digitally sign all packets [requires Kerberos] " is checked. If the value is not checked, this is a finding." 282 | echo " 1. Open Finder." 283 | echo " 2. Click the Hard Drive icon." 284 | echo " 3. Double Click System." 285 | echo " 4. Double Click Library." 286 | echo " 5. Double Click CoreServices." 287 | echo " 6. Double Click Directory Utility." 288 | echo " 7. Click the Show Advanced Options button." 289 | echo " 8. Click Services tab." 290 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 291 | echo " 10. Click the LDAPv3 service." 292 | echo " 11. Click the Pencil icon." 293 | echo " 12. Highlight the Server Name/Configuration Name." 294 | echo " 13. Click Edit." 295 | echo " 14. Click on Security tab and select "Digitally sign all packets [requires Kerberos]". " 296 | echo "" 297 | echo "Enter 0 to skip this STIG/continue to the next." 298 | echo "Enter 1 to exit this script." 299 | selection= 300 | until [ "$selection" = "0" ]; do 301 | echo "" 302 | echo -n "Enter your selection: " 303 | echo "" 304 | read selection 305 | case $selection in 306 | 1 ) exit ;; 307 | 308 | esac 309 | done 310 | 311 | echo "---------------------------" 312 | echo "[STIG ID] SV-38577r1_rule" 313 | echo "---------------------------" 314 | echo "" 315 | echo "[CHECK] All LDAPv3 packets must be encrypted." 316 | echo " 1. Open Finder." 317 | echo " 2. Click the Hard Drive icon." 318 | echo " 3. Double Click System." 319 | echo " 4. Double Click Library." 320 | echo " 5. Double Click CoreServices." 321 | echo " 6. Double Click Directory Utility." 322 | echo " 7. Click the Show Advanced Options button." 323 | echo " 8. Click Services tab." 324 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 325 | echo " 10. Click the LDAPv3 service." 326 | echo " 11. Click the Pencil icon." 327 | echo " 12. Highlight the Server Name/Configuration Name." 328 | echo " 13. Click Edit." 329 | echo "[FIX] Click on Security tab and verify the "Encrypt all packets [requires SSL or Kerberos] " is checked. If the value is not checked, this is a finding." 330 | echo " 1. Open Finder." 331 | echo " 2. Click the Hard Drive icon." 332 | echo " 3. Double Click System." 333 | echo " 4. Double Click Library." 334 | echo " 5. Double Click CoreServices." 335 | echo " 6. Double Click Directory Utility." 336 | echo " 7. Click the Show Advanced Options button." 337 | echo " 8. Click Services tab." 338 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 339 | echo " 10. Click the LDAPv3 service." 340 | echo " 11. Click the Pencil icon." 341 | echo " 12. Highlight the Server Name/Configuration Name." 342 | echo " 13. Click Edit." 343 | echo " 14. Click on Security tab and select "Encrypt all packets [requires SSL or Kerberos]"." 344 | echo "" 345 | echo "Enter 0 to skip this STIG/continue to the next." 346 | echo "Enter 1 to exit this script." 347 | selection= 348 | until [ "$selection" = "0" ]; do 349 | echo "" 350 | echo -n "Enter your selection: " 351 | echo "" 352 | read selection 353 | case $selection in 354 | 1 ) exit ;; 355 | 356 | esac 357 | done 358 | 359 | echo "---------------------------" 360 | echo "[STIG ID] SV-38578r1_rule" 361 | echo "---------------------------" 362 | echo "" 363 | echo "[CHECK] LDAPv3 must block man-in-the-middle attacks." 364 | echo " 1. Open Finder." 365 | echo " 2. Click the Hard Drive icon." 366 | echo " 3. Double Click System." 367 | echo " 4. Double Click Library." 368 | echo " 5. Double Click CoreServices." 369 | echo " 6. Double Click Directory Utility." 370 | echo " 7. Click the Show Advanced Options button." 371 | echo " 8. Click Services tab." 372 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 373 | echo " 10. Click the LDAPv3 service." 374 | echo " 11. Click the Pencil icon." 375 | echo " 12. Highlight the Server Name/Configuration Name." 376 | echo " 13. Click Edit." 377 | echo "[FIX] Click on Security tab and verify the "Block man-in-the-middle attacks [requires Kerberos]" is checked. If the value is not checked, this is a finding." 378 | echo " 1. Open Finder." 379 | echo " 2. Click the Hard Drive icon." 380 | echo " 3. Double Click System." 381 | echo " 4. Double Click Library." 382 | echo " 5. Double Click CoreServices." 383 | echo " 6. Double Click Directory Utility." 384 | echo " 7. Click the Show Advanced Options button." 385 | echo " 8. Click Services tab." 386 | echo " 9. Click the Lock and enter the password to unlock the options [if needed]." 387 | echo " 10. Click the LDAPv3 service." 388 | echo " 11. Click the Pencil icon." 389 | echo " 12. Highlight the Server Name/Configuration Name." 390 | echo " 13. Click Edit." 391 | echo " 14. Click the Security tab and select "Block man-in-the-middle attacks [requires Kerberos]". " 392 | echo "" 393 | echo "Enter 0 to skip this STIG/continue to the next." 394 | echo "Enter 1 to exit this script." 395 | selection= 396 | until [ "$selection" = "0" ]; do 397 | echo "" 398 | echo -n "Enter your selection: " 399 | echo "" 400 | read selection 401 | case $selection in 402 | 1 ) exit ;; 403 | 404 | esac 405 | done 406 | 407 | echo "---------------------------" 408 | echo "[STIG ID] SV-38518r1_rule" 409 | echo "---------------------------" 410 | echo "" 411 | echo "[CHECK] Active Directory Access must be securely configured." 412 | echo " 1. Open Finder." 413 | echo " 2. Click the Hard Drive icon." 414 | echo " 3. Double Click System." 415 | echo " 4. Double Click Library." 416 | echo " 5. Double Click CoreServices." 417 | echo " 6. Double Click Directory Utility." 418 | echo " 7. Click the Services tab. " 419 | echo " 8. Double-click on Active Directory." 420 | echo " 9. Click on Show Advanced Options. " 421 | echo "[FIX] Click on Administrative tab and ensure "Allow administration by" is not selected. If "Allow administration by" is selected, this is a finding." 422 | echo " 1. Open Finder." 423 | echo " 2. Click the Hard Drive icon." 424 | echo " 3. Double Click System." 425 | echo " 4. Double Click Library." 426 | echo " 5. Double Click CoreServices." 427 | echo " 6. Double Click Directory Utility." 428 | echo " 7. Click the Services tab. " 429 | echo " 8. Double-click on Active Directory." 430 | echo " 9. Click on Show Advanced Options. " 431 | echo " 10. Click on Administrative tab and deselect "Allow administration by" option." 432 | echo "" 433 | echo "Enter 0 to skip this STIG/continue to the next." 434 | echo "Enter 1 to exit this script." 435 | selection= 436 | until [ "$selection" = "0" ]; do 437 | echo "" 438 | echo -n "Enter your selection: " 439 | echo "" 440 | read selection 441 | case $selection in 442 | 1 ) exit ;; 443 | 444 | esac 445 | done 446 | 447 | echo "---------------------------" 448 | echo "[STIG ID] SV-38529r1_rule" 449 | echo "---------------------------" 450 | echo "" 451 | echo "[CHECK] The correct date and time must be set." 452 | echo " 1. Open System Preferences - -- Date and Time Panel." 453 | echo "[CHECK] The correct date and time must be set." 454 | echo "[FIX] Ensure the correct date and time is set. If the date and time are not correct, this is a finding." 455 | echo " 1. Open System Preferences - -- Date and Time Panel." 456 | echo " 2. Set the correct date and time." 457 | echo "" 458 | echo "Enter 0 to skip this STIG/continue to the next." 459 | echo "Enter 1 to exit this script." 460 | selection= 461 | until [ "$selection" = "0" ]; do 462 | echo "" 463 | echo -n "Enter your selection: " 464 | echo "" 465 | read selection 466 | case $selection in 467 | 1 ) exit ;; 468 | 469 | esac 470 | done 471 | 472 | echo "---------------------------" 473 | echo "[STIG ID] SV-38530r1_rule" 474 | echo "---------------------------" 475 | echo "" 476 | echo "[CHECK] A secure time server must be referenced." 477 | echo " 1. Open System Preferences -- Date and Time Panel. " 478 | echo " 2. Ensure "Set date and time automatically" is selected. " 479 | echo "[FIX] In the box for the time server, ensure the URL is entered along with either the address of a valid federal government NTP server or address of a local domain controller." 480 | echo " 1. Open System Preferences] Date and Time Panel. " 481 | echo " 2. Select "Set date and time automatically". " 482 | echo " 3. In the box for the time server, type either the URL or IP address of a valid federal government NTP server or local domain controller. " 483 | echo "" 484 | echo "Enter 0 to skip this STIG/continue to the next." 485 | echo "Enter 1 to exit this script." 486 | selection= 487 | until [ "$selection" = "0" ]; do 488 | echo "" 489 | echo -n "Enter your selection: " 490 | echo "" 491 | read selection 492 | case $selection in 493 | 1 ) exit ;; 494 | 495 | esac 496 | done 497 | 498 | echo "---------------------------" 499 | echo "[STIG ID] SV-37218r1_rule" 500 | echo "---------------------------" 501 | echo "" 502 | echo "[CHECK] The guest account must be disabled." 503 | echo " 1. Open System Preferences -- Accounts Panel. " 504 | echo " 2. Click on Guest Account. " 505 | echo "[FIX] Ensure "Allow guests to login to this computer" option is unchecked. If the option is checked, this is a finding." 506 | echo " 1. Open System Preferences -- Accounts Panel. " 507 | echo " 2. Click on Guest Account. " 508 | echo " 3. Deselect "Allow guests to login to this computer"." 509 | echo "" 510 | echo "Enter 0 to skip this STIG/continue to the next." 511 | echo "Enter 1 to exit this script." 512 | selection= 513 | until [ "$selection" = "0" ]; do 514 | echo "" 515 | echo -n "Enter your selection: " 516 | echo "" 517 | read selection 518 | case $selection in 519 | 1 ) exit ;; 520 | 521 | esac 522 | done 523 | 524 | echo "---------------------------" 525 | echo "[STIG ID] SV-37219r1_rule" 526 | echo "---------------------------" 527 | echo "" 528 | echo "[CHECK] Shared folders must be disabled." 529 | echo " 1. Open System Preferences -- Accounts Panel. " 530 | echo " 2. Click on Guest Account. " 531 | echo "[FIX] Ensure "Allow Guests to connect to shared folders" option is unchecked. If the option is checked, this is a finding." 532 | echo " 1. Open System Preferences -- Accounts Panel. " 533 | echo " 2. Click on Guest Account. " 534 | echo " 3. Deselect "Allow Guests to connect to shared folders"." 535 | echo "" 536 | echo "Enter 0 to skip this STIG/continue to the next." 537 | echo "Enter 1 to exit this script." 538 | selection= 539 | until [ "$selection" = "0" ]; do 540 | echo "" 541 | echo -n "Enter your selection: " 542 | echo "" 543 | read selection 544 | case $selection in 545 | 1 ) exit ;; 546 | 547 | esac 548 | done 549 | 550 | echo "---------------------------" 551 | echo "[STIG ID] SV-37221r1_rule" 552 | echo "---------------------------" 553 | echo "" 554 | echo "[CHECK] Login Window must be properly configured." 555 | echo " 1. Open System Preferences -- Accounts Panel. " 556 | echo " 2. Select Login Options. " 557 | echo "[FIX] Ensure "Display login window as:" is set to "Name and password". If the option is not set to "Name and Password", this is a finding." 558 | echo " 1. Open System Preferences -- Accounts Panel. " 559 | echo " 2. Select Login Options. " 560 | echo " 3. Set "Display login window as:" to 'Name and password'." 561 | echo "" 562 | echo "Enter 0 to skip this STIG/continue to the next." 563 | echo "Enter 1 to exit this script." 564 | selection= 565 | until [ "$selection" = "0" ]; do 566 | echo "" 567 | echo -n "Enter your selection: " 568 | echo "" 569 | read selection 570 | case $selection in 571 | 1 ) exit ;; 572 | 573 | esac 574 | done 575 | 576 | echo "---------------------------" 577 | echo "[STIG ID] SV-37225r1_rule" 578 | echo "---------------------------" 579 | echo "" 580 | echo "[CHECK] Input menu must not be shown in login window." 581 | echo " 1. Open System Preferences -- Accounts Panel. " 582 | echo " 2. Select Login Options. " 583 | echo "[FIX] Ensure the "Show input menu in login window" is not checked. If the option is checked, this is a finding." 584 | echo " 1. Open System Preferences -- Accounts Panel. " 585 | echo " 2. Select Login Options. " 586 | echo " 3. Deselect "Show input menu in login window" to disable this option." 587 | echo "" 588 | echo "Enter 0 to skip this STIG/continue to the next." 589 | echo "Enter 1 to exit this script." 590 | selection= 591 | until [ "$selection" = "0" ]; do 592 | echo "" 593 | echo -n "Enter your selection: " 594 | echo "" 595 | read selection 596 | case $selection in 597 | 1 ) exit ;; 598 | 599 | esac 600 | done 601 | 602 | echo "---------------------------" 603 | echo "[STIG ID] SV-37223r1_rule" 604 | echo "---------------------------" 605 | echo "" 606 | echo "[CHECK] Restart, Sleep, and Shutdown buttons must not be shown prior to login." 607 | echo " 1. Open System Preferences -- Accounts Panel. " 608 | echo " 2. Select Login Options. " 609 | echo "[FIX] Ensure the "Show the Restart, Sleep, and Shutdown buttons" option is not checked. If the option is checked, this is a finding." 610 | echo " 1. Open System Preferences -- Accounts Panel. " 611 | echo " 2. Select Login Options. " 612 | echo " 3. Deselect the "Show the Restart, Sleep, and Shutdown buttons" to disable this option." 613 | echo "" 614 | echo "Enter 0 to skip this STIG/continue to the next." 615 | echo "Enter 1 to exit this script." 616 | selection= 617 | until [ "$selection" = "0" ]; do 618 | echo "" 619 | echo -n "Enter your selection: " 620 | echo "" 621 | read selection 622 | case $selection in 623 | 1 ) exit ;; 624 | 625 | esac 626 | done 627 | 628 | echo "---------------------------" 629 | echo "[STIG ID] SV-37225r1_rule" 630 | echo "---------------------------" 631 | echo "" 632 | echo "[CHECK] Input menu must not be shown in login window." 633 | echo " 1. Open System Preferences -- Accounts Panel. " 634 | echo " 2. Select Login Options. " 635 | echo "[FIX] Ensure the "Show input menu in login window" is not checked. If the option is checked, this is a finding." 636 | echo " 1. Open System Preferences -- Accounts Panel. " 637 | echo " 2. Select Login Options. " 638 | echo " 3. Deselect "Show input menu in login window" to disable this option." 639 | echo "" 640 | echo "Enter 0 to skip this STIG/continue to the next." 641 | echo "Enter 1 to exit this script." 642 | selection= 643 | until [ "$selection" = "0" ]; do 644 | echo "" 645 | echo -n "Enter your selection: " 646 | echo "" 647 | read selection 648 | case $selection in 649 | 1 ) exit ;; 650 | 651 | esac 652 | done 653 | 654 | echo "---------------------------" 655 | echo "[STIG ID] SV-37226r1_rule" 656 | echo "---------------------------" 657 | echo "" 658 | echo "[CHECK] The system must be configured to not show password hints." 659 | echo " 1. Open System Preferences -- Accounts Panel. " 660 | echo " 2. Select Login Options. " 661 | echo "[FIX] Ensure the "Show password hints" is not checked. If the option is checked, this is a finding." 662 | echo " 1. Open System Preferences -- Accounts Panel. " 663 | echo " 2. Select Login Options. " 664 | echo " 3. Deselect "Show password hints" to disable this option." 665 | echo "" 666 | echo "Enter 0 to skip this STIG/continue to the next." 667 | echo "Enter 1 to exit this script." 668 | selection= 669 | until [ "$selection" = "0" ]; do 670 | echo "" 671 | echo -n "Enter your selection: " 672 | echo "" 673 | read selection 674 | case $selection in 675 | 1 ) exit ;; 676 | 677 | esac 678 | done 679 | 680 | echo "---------------------------" 681 | echo "[STIG ID] SV-37229r1_rule" 682 | echo "---------------------------" 683 | echo "" 684 | echo "[CHECK] Fast User Switching must be disabled." 685 | echo " 1. Open System Preferences -- Accounts Panel." 686 | echo " 2. Select Login Options. " 687 | echo "[FIX] Ensure the "Enable Fast User Switching" is not checked. If the option is checked, this is a finding." 688 | echo " 1. Open System Preferences -- Accounts Panel." 689 | echo " 2. Select Login Options. " 690 | echo " 3. Deselect "Enable Fast User Switching" to disable this option." 691 | echo "" 692 | echo "Enter 0 to skip this STIG/continue to the next." 693 | echo "Enter 1 to exit this script." 694 | selection= 695 | until [ "$selection" = "0" ]; do 696 | echo "" 697 | echo -n "Enter your selection: " 698 | echo "" 699 | read selection 700 | case $selection in 701 | 1 ) exit ;; 702 | 703 | esac 704 | done 705 | 706 | echo "---------------------------" 707 | echo "[STIG ID] SV-38532r1_rule" 708 | echo "---------------------------" 709 | echo "" 710 | echo "[CHECK] The password-related hint field must not be used." 711 | echo " 1. Open System Preferences -- Accounts Panel, for each account. " 712 | echo " 2. Click 'reset password' [Change Password for current user]. " 713 | echo "[FIX] If any accounts have hints data, this is a finding." 714 | echo " 1. Open System Preferences -- Accounts Panel, for each account. " 715 | echo " 2. Click 'reset password' [Change Password for current user]. " 716 | echo " 3. Remove any data in the password hints field. " 717 | echo " The password Hints Field may include contact information for the organization's technical support." 718 | echo "" 719 | echo "Enter 0 to skip this STIG/continue to the next." 720 | echo "Enter 1 to exit this script." 721 | selection= 722 | until [ "$selection" = "0" ]; do 723 | echo "" 724 | echo -n "Enter your selection: " 725 | echo "" 726 | read selection 727 | case $selection in 728 | 1 ) exit ;; 729 | 730 | esac 731 | done 732 | 733 | echo "---------------------------" 734 | echo "[STIG ID] SV-37230r1_rule" 735 | echo "---------------------------" 736 | echo "" 737 | echo "[CHECK] Automatic actions must be disabled for blank CDs." 738 | echo " 1. Open System Preferences -- CDs and DVDs. " 739 | echo "[FIX] Ensure "When you insert a blank CD:" is set to "Ignore". If the option is not set to "Ignore", this is a finding." 740 | echo " 1. Open System Preferences -- CDs and DVDs. " 741 | echo " 2. Set "When you insert a blank CD:" to "Ignore"." 742 | echo "" 743 | echo "Enter 0 to skip this STIG/continue to the next." 744 | echo "Enter 1 to exit this script." 745 | selection= 746 | until [ "$selection" = "0" ]; do 747 | echo "" 748 | echo -n "Enter your selection: " 749 | echo "" 750 | read selection 751 | case $selection in 752 | 1 ) exit ;; 753 | 754 | esac 755 | done 756 | 757 | echo "---------------------------" 758 | echo "[STIG ID] SV-37333r1_rule" 759 | echo "---------------------------" 760 | echo "" 761 | echo "[CHECK] Automatic actions must be disabled for blank DVDs." 762 | echo " 1. Open System Preferences -- CDs and DVDs. " 763 | echo "[FIX] Ensure "When you insert a blank DVD:" is set to "Ignore". If the option is not set to "Ignore", this is a finding." 764 | echo " 1. Open System Preferences -- CDs and DVDs. " 765 | echo " 2. Set "When you insert a blank DVD:" to "Ignore"." 766 | echo "" 767 | echo "Enter 0 to skip this STIG/continue to the next." 768 | echo "Enter 1 to exit this script." 769 | selection= 770 | until [ "$selection" = "0" ]; do 771 | echo "" 772 | echo -n "Enter your selection: " 773 | echo "" 774 | read selection 775 | case $selection in 776 | 1 ) exit ;; 777 | 778 | esac 779 | done 780 | 781 | echo "---------------------------" 782 | echo "[STIG ID] SV-37231r1_rule" 783 | echo "---------------------------" 784 | echo "" 785 | echo "[CHECK] Automatic actions must be disabled for music CDs." 786 | echo " 1. Open System Preferences -- CDs and DVDs. " 787 | echo "[FIX] Ensure "When you insert a music CD:" is set to "Ignore". If the option is not set to "Ignore", this is a finding." 788 | echo " 1. Open System Preferences -- CDs and DVDs. " 789 | echo " 2. Set "When you insert a music CD:" to "Ignore"." 790 | echo "" 791 | echo "Enter 0 to skip this STIG/continue to the next." 792 | echo "Enter 1 to exit this script." 793 | selection= 794 | until [ "$selection" = "0" ]; do 795 | echo "" 796 | echo -n "Enter your selection: " 797 | echo "" 798 | read selection 799 | case $selection in 800 | 1 ) exit ;; 801 | 802 | esac 803 | done 804 | 805 | echo "---------------------------" 806 | echo "[STIG ID] SV-37235r1_rule" 807 | echo "---------------------------" 808 | echo "" 809 | echo "[CHECK] Automatic actions must be disabled for picture CDs." 810 | echo " 1. Open System Preferences -- CDs and DVDs. " 811 | echo "[FIX] Ensure "When you insert a picture CD:" is set to "Ignore". If the option is not set to "Ignore", this is a finding." 812 | echo " 1. Open System Preferences -- CDs and DVDs. " 813 | echo " 2. Set "When you insert a picture CD:" to "Ignore"." 814 | echo "" 815 | echo "Enter 0 to skip this STIG/continue to the next." 816 | echo "Enter 1 to exit this script." 817 | selection= 818 | until [ "$selection" = "0" ]; do 819 | echo "" 820 | echo -n "Enter your selection: " 821 | echo "" 822 | read selection 823 | case $selection in 824 | 1 ) exit ;; 825 | 826 | esac 827 | done 828 | 829 | echo "---------------------------" 830 | echo "[STIG ID] SV-37236r1_rule" 831 | echo "---------------------------" 832 | echo "" 833 | echo "[CHECK] Automatic actions must be disabled for video DVDs." 834 | echo " 1. Open System Preferences -- CDs and DVDs. " 835 | echo "[FIX] Ensure "When you insert a video DVD:" is set to "Ignore". If the option is not set to "Ignore", this is a finding." 836 | echo " 1. Open System Preferences -- CDs and DVDs. " 837 | echo " 2. Set "When you insert a video DVD:" to "Ignore"." 838 | echo "" 839 | echo "Enter 0 to skip this STIG/continue to the next." 840 | echo "Enter 1 to exit this script." 841 | selection= 842 | until [ "$selection" = "0" ]; do 843 | echo "" 844 | echo -n "Enter your selection: " 845 | echo "" 846 | read selection 847 | case $selection in 848 | 1 ) exit ;; 849 | 850 | esac 851 | done 852 | 853 | echo "---------------------------" 854 | echo "[STIG ID] SV-38533r1_rule" 855 | echo "---------------------------" 856 | echo "" 857 | echo "[CHECK] System must have a password-protected screen saver configured to DoD requirements." 858 | echo " 1. Open System Preferences -- Desktop and Screen Saver. " 859 | echo "[FIX] Select the screen saver tab. Ensure the "Start screen saver" slider is set to 15 minutes or less. If not, this is a finding." 860 | echo " 1. Open System Preferences -- Desktop and Screen Saver. " 861 | echo " 2. Select the screen saver tab. " 862 | echo " 3. Set the "Start screen saver" slider to 15 minutes or less. " 863 | echo "" 864 | echo "Enter 0 to skip this STIG/continue to the next." 865 | echo "Enter 1 to exit this script." 866 | selection= 867 | until [ "$selection" = "0" ]; do 868 | echo "" 869 | echo -n "Enter your selection: " 870 | echo "" 871 | read selection 872 | case $selection in 873 | 1 ) exit ;; 874 | 875 | esac 876 | done 877 | 878 | echo "---------------------------" 879 | echo "[STIG ID] SV-38534r1_rule" 880 | echo "---------------------------" 881 | echo "" 882 | echo "[CHECK] The system must not be allowed to restart after a power failure." 883 | echo " 1. Open System Preferences -- Energy Saver -- Options Pane. " 884 | echo "[FIX] Ensure "Restart automatically after a power failure" is not checked. If the option is checked, this is a finding." 885 | echo " 1. Open System Preferences -- Energy Saver -- Options Pane. " 886 | echo " 2. Deselect "Restart automatically after a power failure" to disable this option. " 887 | echo " For some Mac Books systems the "Restart automatically after a power failure" option is located on the "Power Adapter" pane. " 888 | echo "" 889 | echo "Enter 0 to skip this STIG/continue to the next." 890 | echo "Enter 1 to exit this script." 891 | selection= 892 | until [ "$selection" = "0" ]; do 893 | echo "" 894 | echo -n "Enter your selection: " 895 | echo "" 896 | read selection 897 | case $selection in 898 | 1 ) exit ;; 899 | 900 | esac 901 | done 902 | 903 | echo "---------------------------" 904 | echo "[STIG ID] SV-37242r1_rule" 905 | echo "---------------------------" 906 | echo "" 907 | echo "[CHECK] The ability to use corners to disable the screen saver must be disabled." 908 | echo " 1. Open System Preferences -- Expose and Spaces, Expose pane. " 909 | echo "[FIX] Ensure no corners are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account. If any account is set to disable screen savers via corners, this is a finding." 910 | echo " 1. Open System Preferences -- Expose and Spaces, Expose pane. " 911 | echo " 2. Remove any corners which are set to "Disable Screen saver" in the "Active Screen Corners" section for each user account." 912 | echo "" 913 | echo "Enter 0 to skip this STIG/continue to the next." 914 | echo "Enter 1 to exit this script." 915 | selection= 916 | until [ "$selection" = "0" ]; do 917 | echo "" 918 | echo -n "Enter your selection: " 919 | echo "" 920 | read selection 921 | case $selection in 922 | 1 ) exit ;; 923 | 924 | esac 925 | done 926 | 927 | echo "---------------------------" 928 | echo "[STIG ID] SV-38535r1_rule" 929 | echo "---------------------------" 930 | echo "" 931 | echo "[CHECK] Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer." 932 | echo " 1. Open System Preferences -- Open Keyboard and Mouse preferences. " 933 | echo " 2. Click Bluetooth tab. " 934 | echo "[FIX] Ensure "Allow Bluetooth devices to wake this computer" is not checked. If the option is checked, this is a finding." 935 | echo "" 936 | echo "Enter 0 to skip this STIG/continue to the next." 937 | echo "Enter 1 to exit this script." 938 | selection= 939 | until [ "$selection" = "0" ]; do 940 | echo "" 941 | echo -n "Enter your selection: " 942 | echo "" 943 | read selection 944 | case $selection in 945 | 1 ) exit ;; 946 | 947 | esac 948 | done 949 | 950 | echo "---------------------------" 951 | echo "[STIG ID] SV-38535r1_rule" 952 | echo "---------------------------" 953 | echo "" 954 | echo "[CHECK] Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer." 955 | echo " 1. Open System Preferences -- Open Keyboard and Mouse preferences." 956 | echo " 2. Click Bluetooth tab." 957 | echo "[FIX] Ensure "Allow Bluetooth devices to wake this computer" is not checked. If the option is checked, this is a finding." 958 | echo " 1. Open System Preferences -- Keyboard and Mouse preferences." 959 | echo " 2. Click Bluetooth tab." 960 | echo " 3. Deselect "Allow Bluetooth devices to wake this computer"." 961 | echo "" 962 | echo "Enter 0 to skip this STIG/continue to the next." 963 | echo "Enter 1 to exit this script." 964 | selection= 965 | until [ "$selection" = "0" ]; do 966 | echo "" 967 | echo -n "Enter your selection: " 968 | echo "" 969 | read selection 970 | case $selection in 971 | 1 ) exit ;; 972 | 973 | esac 974 | done 975 | 976 | echo "---------------------------" 977 | echo "[STIG ID] SV-37245r1_rule" 978 | echo "---------------------------" 979 | echo "" 980 | echo "[CHECK] Unused hardware devices must be disabled for Airport." 981 | echo " 1. Open System Preferences -- Network." 982 | echo " 2. From the list of hardware devices, select AirPort." 983 | echo "[FIX] Ensure the "Status" is set to "Inactive". If the service is not inactive or removed, this is a finding." 984 | echo " 1. Open System Preferences -- Network." 985 | echo " 2. From the list of hardware devices, select AirPort." 986 | echo " 3. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. [From the "Configure" pop-up menu, choose “Manually”.]" 987 | echo "" 988 | echo "Enter 0 to skip this STIG/continue to the next." 989 | echo "Enter 1 to exit this script." 990 | selection= 991 | until [ "$selection" = "0" ]; do 992 | echo "" 993 | echo -n "Enter your selection: " 994 | echo "" 995 | read selection 996 | case $selection in 997 | 1 ) exit ;; 998 | 999 | esac 1000 | done 1001 | 1002 | echo "---------------------------" 1003 | echo "[STIG ID] SV-38536r1_rule" 1004 | echo "---------------------------" 1005 | echo "" 1006 | echo "[CHECK] Unused hardware devices must be disabled for Bluetooth." 1007 | echo " 1. Open System Preferences -- Network." 1008 | echo " 2. From the list of hardware devices, select Bluetooth." 1009 | echo "[FIX] Ensure the "Status" is set to "Inactive". If the service is not inactive or removed, this is a finding." 1010 | echo " 1. Open System Preferences -- Network." 1011 | echo " 2. From the list of hardware devices, select Bluetooth." 1012 | echo " 3. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. [From the "Configure" pop-up menu, choose “Manually”.] " 1013 | echo "" 1014 | echo "Enter 0 to skip this STIG/continue to the next." 1015 | echo "Enter 1 to exit this script." 1016 | selection= 1017 | until [ "$selection" = "0" ]; do 1018 | echo "" 1019 | echo -n "Enter your selection: " 1020 | echo "" 1021 | read selection 1022 | case $selection in 1023 | 1 ) exit ;; 1024 | 1025 | esac 1026 | done 1027 | 1028 | echo "---------------------------" 1029 | echo "[STIG ID] SV-38538r1_rule" 1030 | echo "---------------------------" 1031 | echo "" 1032 | echo "[CHECK] Unused hardware devices must be disabled for Firewire." 1033 | echo " 1. Open System Preferences -- Network." 1034 | echo " 2. From the list of hardware devices, select Firewire." 1035 | echo "[FIX] Ensure the "Status" is set to "Inactive". If the service is not set to inactive or removed, this is a finding." 1036 | echo " 1. Open System Preferences -- Network." 1037 | echo " 2. From the list of hardware devices, select Firewire." 1038 | echo " 3. Set this service to "Inactive" by clicking the gear sign and selecting "Make Service Inactive". Remove service if required by site requirements by clicking the minus sign. [From the "Configure" pop-up menu, choose “Manually”.] " 1039 | echo "" 1040 | echo "Enter 0 to skip this STIG/continue to the next." 1041 | echo "Enter 1 to exit this script." 1042 | selection= 1043 | until [ "$selection" = "0" ]; do 1044 | echo "" 1045 | echo -n "Enter your selection: " 1046 | echo "" 1047 | read selection 1048 | case $selection in 1049 | 1 ) exit ;; 1050 | 1051 | esac 1052 | done 1053 | 1054 | echo "---------------------------" 1055 | echo "[STIG ID] SV-37247r1_rule" 1056 | echo "---------------------------" 1057 | echo "" 1058 | echo "[CHECK] System Preferences must be securely configured so IPv6 is turned off if not being used." 1059 | echo " 1. Open System Preferences -- Network." 1060 | echo " 2. Click Advanced." 1061 | echo " 3. Click the TCP/IP tab." 1062 | echo "[FIX] Ensure "Configure IPv6" is set to "Off". If option is not set to "Off", this is a finding. This must be checked on all network interfaces" 1063 | echo " 1. Open System Preferences -- Network." 1064 | echo " 2. Click Advanced." 1065 | echo " 3. Click the TCP/IP tab and set "Configure IPv6" to "Off", if not actively being used. Note: This must be disabled on each network interface." 1066 | echo "" 1067 | echo "Enter 0 to skip this STIG/continue to the next." 1068 | echo "Enter 1 to exit this script." 1069 | selection= 1070 | until [ "$selection" = "0" ]; do 1071 | echo "" 1072 | echo -n "Enter your selection: " 1073 | echo "" 1074 | read selection 1075 | case $selection in 1076 | 1 ) exit ;; 1077 | 1078 | esac 1079 | done 1080 | 1081 | echo "---------------------------" 1082 | echo "[STIG ID] SV-38539r1_rule" 1083 | echo "---------------------------" 1084 | echo "" 1085 | echo "[CHECK] Auto play of movies must be disabled." 1086 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1087 | echo "[FIX] Ensure "Play Movies Automatically" is not checked. If the option is checked, this is a finding." 1088 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1089 | echo " 2. Deselect "Play Movies Automatically"." 1090 | echo "" 1091 | echo "Enter 0 to skip this STIG/continue to the next." 1092 | echo "Enter 1 to exit this script." 1093 | selection= 1094 | until [ "$selection" = "0" ]; do 1095 | echo "" 1096 | echo -n "Enter your selection: " 1097 | echo "" 1098 | read selection 1099 | case $selection in 1100 | 1 ) exit ;; 1101 | 1102 | esac 1103 | done 1104 | 1105 | echo "---------------------------" 1106 | echo "[STIG ID] SV-38539r1_rule" 1107 | echo "---------------------------" 1108 | echo "" 1109 | echo "[CHECK] Auto play of movies must be disabled." 1110 | echo "[NOTE] Could not find this one in the preferences." 1111 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1112 | echo "[FIX] Ensure "Play Movies Automatically" is not checked. If the option is checked, this is a finding." 1113 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1114 | echo " 2. Deselect "Play Movies Automatically"." 1115 | echo "" 1116 | echo "Enter 0 to skip this STIG/continue to the next." 1117 | echo "Enter 1 to exit this script." 1118 | selection= 1119 | until [ "$selection" = "0" ]; do 1120 | echo "" 1121 | echo -n "Enter your selection: " 1122 | echo "" 1123 | read selection 1124 | case $selection in 1125 | 1 ) exit ;; 1126 | 1127 | esac 1128 | done 1129 | 1130 | echo "---------------------------" 1131 | echo "[STIG ID] SV-38217r1_rule" 1132 | echo "---------------------------" 1133 | echo "" 1134 | echo "[CHECK] The disk cache for movies must be disabled." 1135 | echo "[NOTE] Could not find this one in the preferences." 1136 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1137 | echo "[FIX] Ensure "Save Movies in disk cache" is not checked. If option is checked, this is a finding." 1138 | echo " 1. Open System Preferences -- QuickTime, Browser Pane." 1139 | echo " 2. Deselect "Save Movies in disk cache"." 1140 | echo "" 1141 | echo "Enter 0 to skip this STIG/continue to the next." 1142 | echo "Enter 1 to exit this script." 1143 | selection= 1144 | until [ "$selection" = "0" ]; do 1145 | echo "" 1146 | echo -n "Enter your selection: " 1147 | echo "" 1148 | read selection 1149 | case $selection in 1150 | 1 ) exit ;; 1151 | 1152 | esac 1153 | done 1154 | 1155 | echo "---------------------------" 1156 | echo "[STIG ID] SV-38557r1_rule" 1157 | echo "---------------------------" 1158 | echo "" 1159 | echo "[CHECK] QuickTime Advanced preferences must be securely configured." 1160 | echo "[NOTE] Could not find this one in the preferences." 1161 | echo " 1. Open System Preferences -- QuickTime." 1162 | echo " 2. Click Advanced tab." 1163 | echo "[FIX] Ensure "Enable Kiosk Mode" is selected. If setting is not checked, this is a finding." 1164 | echo " 1. Open System Preferences -- QuickTime, Advanced Pane." 1165 | echo " 2. Select "Enable Kiosk Mode"." 1166 | echo "" 1167 | echo "Enter 0 to skip this STIG/continue to the next." 1168 | echo "Enter 1 to exit this script." 1169 | selection= 1170 | until [ "$selection" = "0" ]; do 1171 | echo "" 1172 | echo -n "Enter your selection: " 1173 | echo "" 1174 | read selection 1175 | case $selection in 1176 | 1 ) exit ;; 1177 | 1178 | esac 1179 | done 1180 | 1181 | echo "---------------------------" 1182 | echo "[STIG ID] SV-38560r1_rule" 1183 | echo "---------------------------" 1184 | echo "" 1185 | echo "[CHECK] A password must be required to wake a computer from sleep or screen saver." 1186 | echo " 1. Open System Preferences -- Security." 1187 | echo " 2. Select General tab." 1188 | echo "[FIX] Ensure "Require password to wake this computer from sleep or screen saver" is checked. If option is not checked, this is a finding." 1189 | echo " 1. Open System Preferences -- Security." 1190 | echo " 2. Select General tab." 1191 | echo " 3. Select "Require password to wake this computer from sleep or screen saver"." 1192 | echo "" 1193 | echo "Enter 0 to skip this STIG/continue to the next." 1194 | echo "Enter 1 to exit this script." 1195 | selection= 1196 | until [ "$selection" = "0" ]; do 1197 | echo "" 1198 | echo -n "Enter your selection: " 1199 | echo "" 1200 | read selection 1201 | case $selection in 1202 | 1 ) exit ;; 1203 | 1204 | esac 1205 | done 1206 | 1207 | echo "---------------------------" 1208 | echo "[STIG ID] SV-37251r1_rule" 1209 | echo "---------------------------" 1210 | echo "" 1211 | echo "[CHECK] Automatic login must be disabled." 1212 | echo " 1. Open System Preferences -- Security." 1213 | echo " 2. Select General tab." 1214 | echo "[FIX] Ensure "Disable automatic login" option is checked. If option is not checked, this is a finding." 1215 | echo " 1. Open System Preferences -- Security." 1216 | echo " 2. Select General tab." 1217 | echo " 3. Select "Disable automatic login"." 1218 | echo "" 1219 | echo "Enter 0 to skip this STIG/continue to the next." 1220 | echo "Enter 1 to exit this script." 1221 | selection= 1222 | until [ "$selection" = "0" ]; do 1223 | echo "" 1224 | echo -n "Enter your selection: " 1225 | echo "" 1226 | read selection 1227 | case $selection in 1228 | 1 ) exit ;; 1229 | 1230 | esac 1231 | done 1232 | 1233 | echo "---------------------------" 1234 | echo "[STIG ID] SV-37254r1_rule" 1235 | echo "---------------------------" 1236 | echo "" 1237 | echo "[CHECK] A password must be required to unlock each System Preference Pane." 1238 | echo " 1. Open System Preferences -- Security." 1239 | echo " 2. Select General tab." 1240 | echo "[FIX] Ensure "Require password to unlock each System Preferences Pane" is checked. If option is not checked, this is a finding." 1241 | echo " 1. Open System Preferences -- Security. " 1242 | echo " 2. Select General tab. " 1243 | echo " 3. Select "Require password to unlock each System Preferences Pane"." 1244 | echo "" 1245 | echo "Enter 0 to skip this STIG/continue to the next." 1246 | echo "Enter 1 to exit this script." 1247 | selection= 1248 | until [ "$selection" = "0" ]; do 1249 | echo "" 1250 | echo -n "Enter your selection: " 1251 | echo "" 1252 | read selection 1253 | case $selection in 1254 | 1 ) exit ;; 1255 | 1256 | esac 1257 | done 1258 | 1259 | echo "---------------------------" 1260 | echo "[STIG ID] SV-37262r1_rule" 1261 | echo "---------------------------" 1262 | echo "" 1263 | echo "[CHECK] Automatic logout due to inactivity must be disabled." 1264 | echo " 1. Open System Preferences -- Security. " 1265 | echo " 2. Select General tab. " 1266 | echo "[FIX] Ensure "Log out after x minutes of inactivity" is not checked. If it is checked, this is a finding." 1267 | echo " 1. Open System Preferences -- Security. " 1268 | echo " 2. Select General tab. " 1269 | echo " 3. Deselect "Log out after x minutes of inactivity"." 1270 | echo "" 1271 | echo "Enter 0 to skip this STIG/continue to the next." 1272 | echo "Enter 1 to exit this script." 1273 | selection= 1274 | until [ "$selection" = "0" ]; do 1275 | echo "" 1276 | echo -n "Enter your selection: " 1277 | echo "" 1278 | read selection 1279 | case $selection in 1280 | 1 ) exit ;; 1281 | 1282 | esac 1283 | done 1284 | 1285 | echo "---------------------------" 1286 | echo "[STIG ID] SV-37263r1_rule" 1287 | echo "---------------------------" 1288 | echo "" 1289 | echo "[CHECK] Secure virtual memory must be used." 1290 | echo " 1. Open System Preferences -- Security. " 1291 | echo " 2. Select General tab. " 1292 | echo "[FIX] Ensure "Use Secure Virtual Memory" is checked. If option is not checked, this is a finding." 1293 | echo " 1. Open System Preferences -- Security. " 1294 | echo " 2. Select General tab. " 1295 | echo " 3. Select "Use Secure Virtual Memory"." 1296 | echo "" 1297 | echo "Enter 0 to skip this STIG/continue to the next." 1298 | echo "Enter 1 to exit this script." 1299 | selection= 1300 | until [ "$selection" = "0" ]; do 1301 | echo "" 1302 | echo -n "Enter your selection: " 1303 | echo "" 1304 | read selection 1305 | case $selection in 1306 | 1 ) exit ;; 1307 | 1308 | esac 1309 | done 1310 | 1311 | echo "---------------------------" 1312 | echo "[STIG ID] SV-38561r1_rule" 1313 | echo "---------------------------" 1314 | echo "" 1315 | echo "[CHECK] Remote control infrared receiver must be disabled." 1316 | echo "[CHECK] If you deleted the Kext file(s) for infrared in a previous step, you won't find this in the preferences." 1317 | echo " 1. Open System Preferences -- Security. " 1318 | echo " 2. Select General tab. " 1319 | echo "[FIX] Ensure "Disable remote control infrared receiver" is checked. If the option is not checked, this is a finding." 1320 | echo " 1. Open System Preferences -- Security. " 1321 | echo " 2. Select General tab. " 1322 | echo " 3. Select "Disable remote control infrared receiver"." 1323 | echo "" 1324 | echo "Enter 0 to skip this STIG/continue to the next." 1325 | echo "Enter 1 to exit this script." 1326 | selection= 1327 | until [ "$selection" = "0" ]; do 1328 | echo "" 1329 | echo -n "Enter your selection: " 1330 | echo "" 1331 | read selection 1332 | case $selection in 1333 | 1 ) exit ;; 1334 | 1335 | esac 1336 | done 1337 | 1338 | echo "---------------------------" 1339 | echo "[STIG ID] SV-38563r1_rule" 1340 | echo "---------------------------" 1341 | echo "" 1342 | echo "[CHECK] Only essential services must be allowed through firewall." 1343 | echo " 1. Open System Preferences -- Security. " 1344 | echo " 2. Select Firewall tab. " 1345 | echo " 3. Select Advanced." 1346 | echo "[FIX] Review the Allowed services, only essential services and applications should be allowed. If not, this is a finding." 1347 | echo " 1. Open System Preferences -- Security. " 1348 | echo " 2. Select Firewall tab. " 1349 | echo " 3. Select the Advanced button. " 1350 | echo " 4. Remove any non-essential services and applications. " 1351 | echo "" 1352 | echo "Enter 0 to skip this STIG/continue to the next." 1353 | echo "Enter 1 to exit this script." 1354 | selection= 1355 | until [ "$selection" = "0" ]; do 1356 | echo "" 1357 | echo -n "Enter your selection: " 1358 | echo "" 1359 | read selection 1360 | case $selection in 1361 | 1 ) exit ;; 1362 | 1363 | esac 1364 | done 1365 | 1366 | echo "---------------------------" 1367 | echo "[STIG ID] SV-38565r1_rule" 1368 | echo "---------------------------" 1369 | echo "" 1370 | echo "[CHECK] Firewall logging must be enabled." 1371 | echo " 1. Open System Preferences -- Security. " 1372 | echo " 2. Select Firewall tab. " 1373 | echo " 3. Click on Advanced. " 1374 | echo "[FIX] Ensure "Enable Firewall logging" is checked. If option is not checked, this is a finding. If the Mac OS X firewall has not been configured this setting will be unavailable." 1375 | echo " 1. Open System Preferences -- Security. " 1376 | echo " 2. Select Firewall tab. " 1377 | echo " 3. Click on Advanced. " 1378 | echo " 4. Select "Enable Firewall logging". " 1379 | echo "" 1380 | echo "Enter 0 to skip this STIG/continue to the next." 1381 | echo "Enter 1 to exit this script." 1382 | selection= 1383 | until [ "$selection" = "0" ]; do 1384 | echo "" 1385 | echo -n "Enter your selection: " 1386 | echo "" 1387 | read selection 1388 | case $selection in 1389 | 1 ) exit ;; 1390 | 1391 | esac 1392 | done 1393 | 1394 | echo "---------------------------" 1395 | echo "[STIG ID] SV-37266r1_rule" 1396 | echo "---------------------------" 1397 | echo "" 1398 | echo "[CHECK] Stealth Mode must be enabled on the firewall. This check applies to mobile platforms only." 1399 | echo " 1. Open System Preferences -- Security. " 1400 | echo " 2. Select Firewall tab. " 1401 | echo " 3. Click on Advanced. " 1402 | echo "[FIX] Ensure "Enable Stealth mode" is checked. If the option is not checked, this is a finding." 1403 | echo " 1. Open System Preferences -- Security. " 1404 | echo " 2. Select Firewall tab. " 1405 | echo " 3. Click on Advanced. " 1406 | echo " 4. Select "Enable Stealth mode". " 1407 | echo "" 1408 | echo "Enter 0 to skip this STIG/continue to the next." 1409 | echo "Enter 1 to exit this script." 1410 | selection= 1411 | until [ "$selection" = "0" ]; do 1412 | echo "" 1413 | echo -n "Enter your selection: " 1414 | echo "" 1415 | read selection 1416 | case $selection in 1417 | 1 ) exit ;; 1418 | 1419 | esac 1420 | done 1421 | 1422 | echo "---------------------------" 1423 | echo "[STIG ID] SV-37268r1_rule" 1424 | echo "---------------------------" 1425 | echo "" 1426 | echo "[CHECK] DVD or CD Sharing must be disabled." 1427 | echo " 1. Open System Preferences -- Sharing. " 1428 | echo "[FIX] Ensure "DVD or CD Sharing" service does not have the "On" box checked. If the box is checked, this is a finding." 1429 | echo " 1. Open System Preferences -- Sharing. " 1430 | echo " 2. Uncheck the "On" box for "DVD or CD Sharing" service. " 1431 | echo "" 1432 | echo "Enter 0 to skip this STIG/continue to the next." 1433 | echo "Enter 1 to exit this script." 1434 | selection= 1435 | until [ "$selection" = "0" ]; do 1436 | echo "" 1437 | echo -n "Enter your selection: " 1438 | echo "" 1439 | read selection 1440 | case $selection in 1441 | 1 ) exit ;; 1442 | 1443 | esac 1444 | done 1445 | 1446 | echo "---------------------------" 1447 | echo "[STIG ID] SV-37273r1_rule" 1448 | echo "---------------------------" 1449 | echo "" 1450 | echo "[CHECK] Screen Sharing must be disabled." 1451 | echo " 1. Open System Preferences -- Sharing. " 1452 | echo "[FIX] Ensure "Screen Sharing" service does not have the "On" box checked. If the box is checked, this is a finding." 1453 | echo " 1. Open System Preferences -- Sharing. " 1454 | echo " 2. Uncheck the "On" box for "Screen Sharing" service." 1455 | echo "" 1456 | echo "Enter 0 to skip this STIG/continue to the next." 1457 | echo "Enter 1 to exit this script." 1458 | selection= 1459 | until [ "$selection" = "0" ]; do 1460 | echo "" 1461 | echo -n "Enter your selection: " 1462 | echo "" 1463 | read selection 1464 | case $selection in 1465 | 1 ) exit ;; 1466 | 1467 | esac 1468 | done 1469 | 1470 | echo "---------------------------" 1471 | echo "[STIG ID] SV-37274r1_rule" 1472 | echo "---------------------------" 1473 | echo "" 1474 | echo "[CHECK] File Sharing must be disabled." 1475 | echo " 1. Open System Preferences -- Sharing. " 1476 | echo "[FIX] Ensure the "On" box for "File Sharing" service is not checked. If the box is checked, this is a finding." 1477 | echo " 1. Open System Preferences -- Sharing. " 1478 | echo " 2. Uncheck the "On" box for "File Sharing" service." 1479 | echo "" 1480 | echo "Enter 0 to skip this STIG/continue to the next." 1481 | echo "Enter 1 to exit this script." 1482 | selection= 1483 | until [ "$selection" = "0" ]; do 1484 | echo "" 1485 | echo -n "Enter your selection: " 1486 | echo "" 1487 | read selection 1488 | case $selection in 1489 | 1 ) exit ;; 1490 | 1491 | esac 1492 | done 1493 | 1494 | echo "---------------------------" 1495 | echo "[STIG ID] SV-37278r1_rule" 1496 | echo "---------------------------" 1497 | echo "" 1498 | echo "[CHECK] Printer Sharing must be disabled." 1499 | echo " 1. Open System Preferences -- Sharing. " 1500 | echo "[FIX] Ensure the "On" box for "Printer Sharing" service is not checked. If the box is checked, this is a finding." 1501 | echo " 1. Open System Preferences -- Sharing. " 1502 | echo " 2. Uncheck the "On" box for "Printer Sharing" service." 1503 | echo "" 1504 | echo "Enter 0 to skip this STIG/continue to the next." 1505 | echo "Enter 1 to exit this script." 1506 | selection= 1507 | until [ "$selection" = "0" ]; do 1508 | echo "" 1509 | echo -n "Enter your selection: " 1510 | echo "" 1511 | read selection 1512 | case $selection in 1513 | 1 ) exit ;; 1514 | 1515 | esac 1516 | done 1517 | 1518 | echo "---------------------------" 1519 | echo "[STIG ID] SV-37282r1_rule" 1520 | echo "---------------------------" 1521 | echo "" 1522 | echo "[CHECK] Web Sharing must be disabled." 1523 | echo " 1. Open System Preferences -- Sharing. " 1524 | echo "[FIX] Ensure the "On" box for "Web Sharing" service is not checked. If the box is checked, this is a finding." 1525 | echo " 1. Open System Preferences -- Sharing. " 1526 | echo " 2. Uncheck the "On" box for "Web Sharing" service." 1527 | echo "" 1528 | echo "Enter 0 to skip this STIG/continue to the next." 1529 | echo "Enter 1 to exit this script." 1530 | selection= 1531 | until [ "$selection" = "0" ]; do 1532 | echo "" 1533 | echo -n "Enter your selection: " 1534 | echo "" 1535 | read selection 1536 | case $selection in 1537 | 1 ) exit ;; 1538 | 1539 | esac 1540 | done 1541 | 1542 | echo "---------------------------" 1543 | echo "[STIG ID] SV-37284r1_rule" 1544 | echo "---------------------------" 1545 | echo "" 1546 | echo "[CHECK] Remote Login must be disabled." 1547 | echo " 1. Open System Preferences -- Sharing. " 1548 | echo "[FIX] Ensure the "On" box for "Remote Login" service is not checked. If the box is checked, this is a finding." 1549 | echo "1. Open System Preferences -- Sharing. " 1550 | echo "2. Uncheck the "On" box for "Remote Login" service. " 1551 | echo "" 1552 | echo "Enter 0 to skip this STIG/continue to the next." 1553 | echo "Enter 1 to exit this script." 1554 | selection= 1555 | until [ "$selection" = "0" ]; do 1556 | echo "" 1557 | echo -n "Enter your selection: " 1558 | echo "" 1559 | read selection 1560 | case $selection in 1561 | 1 ) exit ;; 1562 | 1563 | esac 1564 | done 1565 | 1566 | echo "---------------------------" 1567 | echo "[STIG ID] SV-37288r1_rule" 1568 | echo "---------------------------" 1569 | echo "" 1570 | echo "[CHECK] Apple Remote Desktop must be disabled." 1571 | echo " 1. Open System Preferences -- Sharing. " 1572 | echo "[FIX] Ensure the "On" box for "Remote Management" service is not checked. If the box is checked, this is a finding." 1573 | echo " 1. Open System Preferences -- Sharing. " 1574 | echo " 2. Uncheck the "On" box for "Remote Management" service." 1575 | echo "" 1576 | echo "Enter 0 to skip this STIG/continue to the next." 1577 | echo "Enter 1 to exit this script." 1578 | selection= 1579 | until [ "$selection" = "0" ]; do 1580 | echo "" 1581 | echo -n "Enter your selection: " 1582 | echo "" 1583 | read selection 1584 | case $selection in 1585 | 1 ) exit ;; 1586 | 1587 | esac 1588 | done 1589 | 1590 | echo "---------------------------" 1591 | echo "[STIG ID] SV-37290r1_rule" 1592 | echo "---------------------------" 1593 | echo "" 1594 | echo "[CHECK] Remote Apple Events must be disabled." 1595 | echo " 1. Open System Preferences -- Sharing. " 1596 | echo "[FIX] Ensure the "On" box for "Remote Apple Events" service is not checked. If the box is checked, this is a finding." 1597 | echo " 1. Open System Preferences -- Sharing. " 1598 | echo " 2. Uncheck the "On" box for "Remote Apple Events" service." 1599 | echo "" 1600 | echo "Enter 0 to skip this STIG/continue to the next." 1601 | echo "Enter 1 to exit this script." 1602 | selection= 1603 | until [ "$selection" = "0" ]; do 1604 | echo "" 1605 | echo -n "Enter your selection: " 1606 | echo "" 1607 | read selection 1608 | case $selection in 1609 | 1 ) exit ;; 1610 | 1611 | esac 1612 | done 1613 | 1614 | echo "---------------------------" 1615 | echo "[STIG ID] SV-37293r1_rule" 1616 | echo "---------------------------" 1617 | echo "" 1618 | echo "[CHECK] Xgrid Sharing must be disabled." 1619 | echo " 1. Open System Preferences -- Sharing. " 1620 | echo "[FIX] Ensure the "On" box for "Xgrid Sharing" service is not checked. If the box is checked, this is a finding." 1621 | echo " 1. Open System Preferences -- Sharing. " 1622 | echo " 2. Uncheck the "On" box for "Xgrid Sharing" service." 1623 | echo "" 1624 | echo "Enter 0 to skip this STIG/continue to the next." 1625 | echo "Enter 1 to exit this script." 1626 | selection= 1627 | until [ "$selection" = "0" ]; do 1628 | echo "" 1629 | echo -n "Enter your selection: " 1630 | echo "" 1631 | read selection 1632 | case $selection in 1633 | 1 ) exit ;; 1634 | 1635 | esac 1636 | done 1637 | 1638 | echo "---------------------------" 1639 | echo "[STIG ID]: SV-37296r1_rule" 1640 | echo "---------------------------" 1641 | echo "" 1642 | echo "[CHECK] Internet Sharing must be disabled." 1643 | echo " 1. Open System Preferences -- Sharing. " 1644 | echo "[FIX] Ensure the "On" box for "Internet Sharing" service is not checked. If the box is checked, this is a finding." 1645 | echo " 1. Open System Preferences -- Sharing. " 1646 | echo " 2. Uncheck the "On" box for "Internet Sharing" service." 1647 | echo "" 1648 | echo "Enter 0 to skip this STIG/continue to the next." 1649 | echo "Enter 1 to exit this script." 1650 | selection= 1651 | until [ "$selection" = "0" ]; do 1652 | echo "" 1653 | echo -n "Enter your selection: " 1654 | echo "" 1655 | read selection 1656 | case $selection in 1657 | 1 ) exit ;; 1658 | 1659 | esac 1660 | done 1661 | 1662 | echo "---------------------------" 1663 | echo "[STIG ID] SV-37299r1_rule" 1664 | echo "---------------------------" 1665 | echo "" 1666 | echo "[CHECK] Bluetooth Sharing must be disabled." 1667 | echo " 1. Open System Preferences -- Sharing. " 1668 | echo "[FIX] Ensure the "On" box for "Bluetooth Sharing" service is not checked. If the box is checked, this is a finding." 1669 | echo " 1. Open System Preferences -- Sharing. " 1670 | echo " 2. Uncheck the "On" box for "Bluetooth Sharing" service." 1671 | echo "" 1672 | echo "Enter 0 to skip this STIG/continue to the next." 1673 | echo "Enter 1 to exit this script." 1674 | selection= 1675 | until [ "$selection" = "0" ]; do 1676 | echo "" 1677 | echo -n "Enter your selection: " 1678 | echo "" 1679 | read selection 1680 | case $selection in 1681 | 1 ) exit ;; 1682 | 1683 | esac 1684 | done 1685 | 1686 | echo "---------------------------" 1687 | echo "[STIG ID] SV-38567r1_rule" 1688 | echo "---------------------------" 1689 | echo "" 1690 | echo "[CHECK] Mail must be configured using SSL. If you are not using the Mac Mail Application, this check does not apply." 1691 | echo " 1. Choose Mail ] Preferences, and then click Accounts. " 1692 | echo " 2. Select an account, and then click Advanced. " 1693 | echo " 3. Ensure "Use SSL" is selected. " 1694 | echo "[FIX] From the Authentication pop-up menu, ensure an authentication method is selected [e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 [GSSAPI], or Authenticated POP [APOP]]. If not, this is a finding." 1695 | echo " 5. Click Account Information. " 1696 | echo " 6. From the Outgoing Mail Server [SMTP] pop-up menu, select Edit Server List. " 1697 | echo " 7. From the server list, select the outgoing mail server, and then click Advanced. " 1698 | echo " 8. Ensure Secure Socket Layer [SSL] is selected. " 1699 | echo "[FIX] From the Authentication pop-up menu, ensure an authentication method is selected [e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 [GSSAPI], or Authenticated POP [APOP]]. If not, this is a finding." 1700 | echo " 1. Choose Mail ] Preferences, and then click Accounts. " 1701 | echo " 2. Select an account, and then click Advanced. " 1702 | echo " 3. Select "Use SSL". " 1703 | echo " 4. From the Authentication pop-up menu, select authentication method [e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 [GSSAPI], or Authenticated POP [APOP]]. " 1704 | echo " 5. Click Account Information. " 1705 | echo " 6. From the Outgoing Mail Server [SMTP] pop-up menu, select Edit Server List. " 1706 | echo " 7. From the server list, select your outgoing mail server and then click Advanced. " 1707 | echo " 8. Select "Secure Socket Layer [SSL]". " 1708 | echo " 9. From the Authentication pop-up menu, select authentication method [e.g., MD5 Challenge-Response, NTLM, Kerberos Version 5 [GSSAPI], or Authenticated POP [APOP]]." 1709 | echo " 10. Close the preferences window, and then click "Save" in the message that appears. " 1710 | echo "" 1711 | echo "Enter 0 to skip this STIG/continue to the next." 1712 | echo "Enter 1 to exit this script." 1713 | selection= 1714 | until [ "$selection" = "0" ]; do 1715 | echo "" 1716 | echo -n "Enter your selection: " 1717 | echo "" 1718 | read selection 1719 | case $selection in 1720 | 1 ) exit ;; 1721 | 1722 | esac 1723 | done 1724 | 1725 | echo "---------------------------" 1726 | echo "[STIG ID] SV-37301r1_rule" 1727 | echo "---------------------------" 1728 | echo "" 1729 | echo "[CHECK] iTunes Store must be disabled." 1730 | echo " 1. Open Finder." 1731 | echo " 2. Select Applications." 1732 | echo " 3. Double click the iTunes application." 1733 | echo " 4. On the top menu bar click iTunes and from the drop down menu select Preferences." 1734 | echo "[FIX] Click on the Parental icon. Verify the Disable iTunes Store is checked. If not, this is a finding." 1735 | echo " 1. Open Finder." 1736 | echo " 2. Select Applications." 1737 | echo " 3. Double click the iTunes application." 1738 | echo " 4. On the top menu bar click iTunes and from the drop down menu select Preferences." 1739 | echo " 5. Click on the Parental icon." 1740 | echo " 6. Click on the Disable iTunes Store option. This must be performed for each user." 1741 | echo "" 1742 | echo "Enter 0 to skip this STIG/continue to the next." 1743 | echo "Enter 1 to exit this script." 1744 | selection= 1745 | until [ "$selection" = "0" ]; do 1746 | echo "" 1747 | echo -n "Enter your selection: " 1748 | echo "" 1749 | read selection 1750 | case $selection in 1751 | 1 ) exit ;; 1752 | 1753 | esac 1754 | done 1755 | 1756 | echo "---------------------------" 1757 | echo "[STIG ID] SV-37303r1_rule" 1758 | echo "---------------------------" 1759 | echo "" 1760 | echo "[CHECK] Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored" 1761 | echo " 1. Open Finder -- Preferences -- Advanced. " 1762 | echo "[FIX] Ensure "Empty Trash Securely" is checked. If the option is not checked, this is a finding. This must be done for each user on the system." 1763 | echo " 1. Open Finder -- Preferences -- Advanced. " 1764 | echo " 2. Select "Empty Trash Securely"." 1765 | echo "" 1766 | echo "Enter 0 to skip this STIG/continue to the next." 1767 | echo "Enter 1 to exit this script." 1768 | selection= 1769 | until [ "$selection" = "0" ]; do 1770 | echo "" 1771 | echo -n "Enter your selection: " 1772 | echo "" 1773 | read selection 1774 | case $selection in 1775 | 1 ) exit ;; 1776 | 1777 | esac 1778 | done 1779 | 1780 | echo "---------------------------" 1781 | echo "[STIG ID] SV-37308r1_rule" 1782 | echo "---------------------------" 1783 | echo "" 1784 | echo "[CHECK] iDisk must be removed from Finder sidebar." 1785 | echo " 1. Open Finder ] Preferences ] Sidebar. " 1786 | echo "[FIX] Ensure the iDisk icon is not selected. If the option is selected, this is a finding. This must be done for each user on the system." 1787 | echo " 1. Open Finder -- Preferences -- Sidebar." 1788 | echo " 2. De-select the iDisk icon. This must be done for each user on the system." 1789 | echo "" 1790 | echo "Enter 0 to skip this STIG/continue to the next." 1791 | echo "Enter 1 to exit this script." 1792 | selection= 1793 | until [ "$selection" = "0" ]; do 1794 | echo "" 1795 | echo -n "Enter your selection: " 1796 | echo "" 1797 | read selection 1798 | case $selection in 1799 | 1 ) exit ;; 1800 | 1801 | esac 1802 | done 1803 | 1804 | echo "---------------------------" 1805 | echo "[STIG ID] SV-38568r1_rule" 1806 | echo "---------------------------" 1807 | echo "" 1808 | echo "[CHECK] The root account must be disabled." 1809 | echo " 1. Open Finder." 1810 | echo " 2. Click the Hard Drive icon." 1811 | echo " 3. Double Click System." 1812 | echo " 4. Double Click Library." 1813 | echo " 5. Double Click CoreServices." 1814 | echo " 6. Double Click Directory Utility." 1815 | echo " 7. Click the Lock and enter the password to unlock the options." 1816 | echo "[FIX] Click the Edit tab [Directory Utility bar on top] and verify the "Disable Root User" option appears. If the "Enable Root User" option is visible, this is a finding." 1817 | echo " 1. Open Finder." 1818 | echo " 2. Click the Hard Drive icon." 1819 | echo " 3. Double Click System." 1820 | echo " 4. Double Click Library." 1821 | echo " 5. Double Click CoreServices." 1822 | echo " 6. Double Click Directory Utility." 1823 | echo " 7. Click the Lock and enter the password to unlock the options." 1824 | echo " 8. Click Disable Root User." 1825 | echo "" 1826 | echo "Enter 0 to skip this STIG/continue to the next." 1827 | echo "Enter 1 to exit this script." 1828 | selection= 1829 | until [ "$selection" = "0" ]; do 1830 | echo "" 1831 | echo -n "Enter your selection: " 1832 | echo "" 1833 | read selection 1834 | case $selection in 1835 | 1 ) exit ;; 1836 | 1837 | esac 1838 | done 1839 | 1840 | echo "---------------------------" 1841 | echo "[STIG ID] SV-37313r1_rule" 1842 | echo "---------------------------" 1843 | echo "" 1844 | echo "[CHECK] Shared User Accounts must be disabled." 1845 | echo " Interview the SA to determine if any shared accounts exist. Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account [which provides no individual identification and accountability] is mitigated." 1846 | echo " Note: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if the machine is stand-alone and has no access to the network." 1847 | echo "[FIX] Remove any shared accounts not meeting the exception requirements listed." 1848 | echo "" 1849 | echo "Enter 0 to skip this STIG/continue to the next." 1850 | echo "Enter 1 to exit this script." 1851 | selection= 1852 | until [ "$selection" = "0" ]; do 1853 | echo "" 1854 | echo -n "Enter your selection: " 1855 | echo "" 1856 | read selection 1857 | case $selection in 1858 | 1 ) exit ;; 1859 | 1860 | esac 1861 | done 1862 | 1863 | echo "---------------------------" 1864 | echo "[STIG ID] SV-38572r1_rule" 1865 | echo "---------------------------" 1866 | echo "" 1867 | echo "[CHECK] Automatic Screen Saver initiation must be enabled when smart card is removed from machine." 1868 | echo " 1. Open System Preferences. " 1869 | echo " 2. Click the Security Icon." 1870 | echo " 3. Click the General Tab." 1871 | echo "[FIX] Ensure "Activate screen saver when login token is removed" option is selected. If the option is not selected, this is a finding. If you are not using a smart card application this check does not apply." 1872 | echo " 1. Open System Preferences. " 1873 | echo " 2. Click the Security Icon." 1874 | echo " 3. Click the General Tab." 1875 | echo " 4. Select "Activate screen saver when login token is removed"." 1876 | echo "" 1877 | echo "Enter 0 to skip this STIG/continue to the next." 1878 | echo "Enter 1 to exit this script." 1879 | selection= 1880 | until [ "$selection" = "0" ]; do 1881 | echo "" 1882 | echo -n "Enter your selection: " 1883 | echo "" 1884 | read selection 1885 | case $selection in 1886 | 1 ) exit ;; 1887 | 1888 | esac 1889 | done 1890 | 1891 | echo "---------------------------" 1892 | echo "[STIG ID] SV-37331r1_rule" 1893 | echo "---------------------------" 1894 | echo "" 1895 | echo "[CHECK] Spotlight Panel must be securely configured." 1896 | echo " 1. Open System Preferences." 1897 | echo " 2. Click the Spotlight Icon." 1898 | echo " 3. In the Search Results pane, verify the categories not wanted as searchable by Spotlight are unchecked." 1899 | echo " 4. Click the Privacy pane." 1900 | echo "[FIX] Verify the correct folders and disks are in the Privacy pane; these are not searchable by Spotlight. If searchable categories or folders are found that should not be searchable, this is a finding." 1901 | echo " 1. Open System Preferences." 1902 | echo " 2. Click the Spotlight Icon." 1903 | echo " 3. In the Search Results pane, deselect categories not wanted searchable by Spotlight." 1904 | echo " 4. Click the Privacy pane." 1905 | echo " 5. Click the Add button or drag a folder or disk into the Privacy pane." 1906 | echo " 6. Folders and disks in the Privacy pane are now not searchable by Spotlight. " 1907 | echo "" 1908 | echo "Enter 0 to skip this STIG/continue to the next." 1909 | echo "Enter 1 to exit this script." 1910 | selection= 1911 | until [ "$selection" = "0" ]; do 1912 | echo "" 1913 | echo -n "Enter your selection: " 1914 | echo "" 1915 | read selection 1916 | case $selection in 1917 | 1 ) exit ;; 1918 | esac 1919 | done 1920 | 1921 | 1922 | echo "" 1923 | echo "--------------------------------------------------------" 1924 | echo "And finally, the 100% manual [logical] tasks." 1925 | echo "Couldn't automate any of these, or didn't want to." 1926 | echo "" 1927 | read -p "If you're ready to continue, hit 'Return'." 1928 | echo "--------------------------------------------------------" 1929 | echo "" 1930 | 1931 | 1932 | echo "---------------------------" 1933 | echo "[STIG ID] SV-38067r1_rule" 1934 | echo "---------------------------" 1935 | echo "" 1936 | echo "[CHECK] The system must not have a public Instant Messaging [IM] client installed." 1937 | echo "[FIX] If an IM client is installed, ask the SA if it has access to any public domain IM servers. If it does have access to public servers, this is a finding. Uninstall the IM client from the system, or configure the client to only connect to DoD-approved IM services." 1938 | echo "" 1939 | echo "Enter 0 to confirm you have verified this STIG." 1940 | echo "Enter 1 to exit this script." 1941 | selection= 1942 | until [ "$selection" = "0" ]; do 1943 | echo "" 1944 | echo -n "Enter your selection: " 1945 | echo "" 1946 | read selection 1947 | case $selection in 1948 | 1 ) exit ;; 1949 | esac 1950 | done 1951 | 1952 | echo "---------------------------" 1953 | echo "[STIG ID] SV-38068r1_rule" 1954 | echo "---------------------------" 1955 | echo "" 1956 | echo "[CHECK] The system must not have any peer-to-peer file-sharing application installed." 1957 | echo "[FIX] If any of these applications are installed, this is a finding. Uninstall the peer-to-peer file sharing application[s] from the system." 1958 | echo "" 1959 | echo "Enter 0 to confirm you have verified this STIG." 1960 | echo "Enter 1 to exit this script." 1961 | selection= 1962 | until [ "$selection" = "0" ]; do 1963 | echo "" 1964 | echo -n "Enter your selection: " 1965 | echo "" 1966 | read selection 1967 | case $selection in 1968 | 1 ) exit ;; 1969 | esac 1970 | done 1971 | 1972 | echo "---------------------------" 1973 | echo "[STIG ID] SV-38524r1_rule" 1974 | echo "---------------------------" 1975 | echo "" 1976 | echo "[CHECK] An antivirus tool must be installed." 1977 | echo "[FIX] Verify an approved antivirus tool is installed on the system. Verify an approved antivirus tool is installed on the system." 1978 | echo "" 1979 | echo "Enter 0 to confirm you have verified this STIG." 1980 | echo "Enter 1 to exit this script." 1981 | selection= 1982 | until [ "$selection" = "0" ]; do 1983 | echo "" 1984 | echo -n "Enter your selection: " 1985 | echo "" 1986 | read selection 1987 | case $selection in 1988 | 1 ) exit ;; 1989 | esac 1990 | done 1991 | 1992 | echo "---------------------------" 1993 | echo "[STIG ID] SV-38583r1_rule" 1994 | echo "---------------------------" 1995 | echo "" 1996 | echo "[CHECK] Physical security of the system must meet DoD requirements. Interview the SA to determine if equipment is located in a controlled access area." 1997 | echo "[FIX] Relocate equipment to a controlled access area." 1998 | echo "" 1999 | echo "Enter 0 to confirm you have verified this STIG." 2000 | echo "Enter 1 to exit this script." 2001 | selection= 2002 | until [ "$selection" = "0" ]; do 2003 | echo "" 2004 | echo -n "Enter your selection: " 2005 | echo "" 2006 | read selection 2007 | case $selection in 2008 | 1 ) exit ;; 2009 | esac 2010 | done 2011 | 2012 | echo "---------------------------" 2013 | echo "[STIG ID] SV-37320r1_rule" 2014 | echo "---------------------------" 2015 | echo "" 2016 | echo "[CHECK] System Recovery Backup procedures must be configured to comply with DoD requirements." 2017 | echo "Interview the SA to determine if system recovery backup procedures are in place complying with DoD requirements. Any of the following would be a finding: 2018 | echo "The site does not maintain emergency system recovery data. 2019 | echo "The emergency system recovery data is not protected from destruction and stored in a locked storage container. 2020 | echo "The emergency system recovery data has not been updated following the last system modification. 2021 | echo "[FIX] Implement data backup procedures complying with DoD requirements." 2022 | echo "" 2023 | echo "Enter 0 to confirm you have verified this STIG." 2024 | echo "Enter 1 to exit this script." 2025 | selection= 2026 | until [ "$selection" = "0" ]; do 2027 | echo "" 2028 | echo -n "Enter your selection: " 2029 | echo "" 2030 | read selection 2031 | case $selection in 2032 | 1 ) exit ;; 2033 | esac 2034 | done 2035 | 2036 | echo "---------------------------" 2037 | echo "[STIG ID] SV-37322r1_rule" 2038 | echo "---------------------------" 2039 | echo "" 2040 | echo "[CHECK] An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location." 2041 | echo "[FIX] Create and maintain an emergency administrator account for emergency situations." 2042 | echo "" 2043 | echo "Enter 0 to confirm you have verified this STIG." 2044 | echo "Enter 1 to exit this script." 2045 | selection= 2046 | until [ "$selection" = "0" ]; do 2047 | echo "" 2048 | echo -n "Enter your selection: " 2049 | echo "" 2050 | read selection 2051 | case $selection in 2052 | 1 ) exit ;; 2053 | esac 2054 | done 2055 | 2056 | echo "---------------------------" 2057 | echo "[STIG ID] SV-37325r1_rule" 2058 | echo "---------------------------" 2059 | echo "" 2060 | echo "[CHECK] Default and Emergency Administrator passwords must be changed when necessary." 2061 | echo "[FIX] Interview the SA or IAM to determine if the site has a policy requiring the default and backup administrator passwords to be changed at least annually or when any member of the administrative team leaves the organization. Define a policy for required password changes for the default and backup administrator account." 2062 | echo "" 2063 | echo "Enter 0 to confirm you have verified this STIG." 2064 | echo "Enter 1 to exit this script." 2065 | selection= 2066 | until [ "$selection" = "0" ]; do 2067 | echo "" 2068 | echo -n "Enter your selection: " 2069 | echo "" 2070 | read selection 2071 | case $selection in 2072 | 1 ) exit ;; 2073 | esac 2074 | done 2075 | 2076 | echo "---------------------------" 2077 | echo "[STIG ID] SV-37329r1_rule" 2078 | echo "---------------------------" 2079 | echo "" 2080 | echo "[CHECK] Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. The site should have a local policy ensuring passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization." 2081 | echo "[FIX] Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding. Create application/service account passwords at least 15 characters in length and meet complexity requirements. Change application/service account passwords are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization." 2082 | echo "" 2083 | echo "Enter 0 to confirm you have verified this STIG." 2084 | echo "Enter 1 to exit this script." 2085 | selection= 2086 | until [ "$selection" = "0" ]; do 2087 | echo "" 2088 | echo -n "Enter your selection: " 2089 | echo "" 2090 | read selection 2091 | case $selection in 2092 | 1 ) exit ;; 2093 | esac 2094 | done 2095 | 2096 | echo "--------------------------------------------------------" 2097 | echo "" 2098 | echo "All done. STIG Remediation complete." 2099 | echo "I'm now taking you back to the menu." 2100 | echo "After reviewing system and logs for completion, reboot." 2101 | press_enter 2102 | echo "--------------------------------------------------------" 2103 | exec ./script.sh 2>and1 | tee script.$TODAYSDATE.log 2104 | 2105 | # END -------------------------------------------------------------------------------- /script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "" 4 | echo "Welcome to the Mac OS X 10.6 Audit/Remediation Script Package" 5 | echo "Based on DISA Mac OS X 10.6 STIG Draft, Version 1, Release .01, 18 Aug 2011" 6 | echo "Copyright 2011, Jacqueline Singh" 7 | 8 | # BEGIN 9 | 10 | function press_enter 11 | { 12 | echo "" 13 | echo -n "Press Return to continue" 14 | read 15 | } 16 | 17 | TODAYSDATE=`date +%d-%b-%Y.%H%M` 18 | 19 | echo "" 20 | echo "--------------------------------------------------------" 21 | echo "Enter 1 to run Part 1: Automated tasks" 22 | echo "Enter 2 to run Part 2: Semi-Automated Tasks" 23 | echo "Enter 3 to run Part 3: GUI-Driven and Logical Tasks" 24 | echo "--------------------------------------------------------" 25 | echo "Enter 4 to exit the STIG Remediation Script" 26 | echo "--------------------------------------------------------" 27 | selection= 28 | until [ "$selection" = "4" ]; do 29 | echo "" 30 | echo -n "Enter your selection: " 31 | echo "" 32 | read selection 33 | case $selection in 34 | 1 ) exec bin/part1.sh 2>&1 | tee logs-$HOSTNAME/osx10.6_script.part1.$TODAYSDATE.log;; 35 | 2 ) exec bin/part2.sh 2>&1 | tee logs-$HOSTNAME/osx10.6_script.part2.$TODAYSDATE.log;; 36 | 3 ) exec bin/part3.sh 2>&1 | tee logs-$HOSTNAME/osx10.6_script.part3.$TODAYSDATE.log;; 37 | 4 ) exit ;; 38 | esac 39 | done 40 | 41 | # END --------------------------------------------------------------------------------