STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must cover or disable the built-in or attached camera when not in use.

DISA Rule

SV-209582r610285_rule

Vulnerability Number

V-209582

Group Title

SRG-OS-000095-GPOS-00049

Rule Version

AOSX-14-002017

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.
• CCI-001150 - The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
• CCI-001153 - The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
• CCI-001774 - The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.

Weight

10

Fix Recommendation

This setting is enforced using the "Restrictions Policy" configuration profile.

Check Contents

If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered or physically disabled, the following configuration is required:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera

If the result is “allowCamera = 1” and the collaborative computing device has not been authorized for use, this is a finding.

Vulnerability Number

V-209582

Documentable

False

Rule Version

AOSX-14-002017

Severity Override Guidance

If the device or operating system does not have a camera installed, this requirement is not applicable.

This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.

This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.

For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding.

For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.

If the camera is not disconnected, covered or physically disabled, the following configuration is required:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep allowCamera

If the result is “allowCamera = 1” and the collaborative computing device has not been authorized for use, this is a finding.

Check Content Reference

M

Target Key

2930

Comments