STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.

DISA Rule

SV-209607r610285_rule

Vulnerability Number

V-209607

Group Title

SRG-OS-000480-GPOS-00230

Rule Version

AOSX-14-002065

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

To reset the permissions on a users' home directory to their defaults, run the following command, where "username" is the user's short name:

sudo diskutil resetUserPermissions / username

Check Contents

For each listing, with the exception of "Shared", verify that the directory is owned by the username, that only the owner has "write" permissions, and the correct Access Control Entry is listed.

To verify permissions on users' home directories, use the following command:

# ls -le /Users

drwxr-xr-x+ 12 Guest _guest 384 Apr 2 09:40 Guest

0: group:everyone deny delete

drwxrwxrwt 4 root wheel 128 Mar 28 05:53 Shared

drwxr-xr-x+ 13 admin staff 416 Apr 8 08:58 admin

0: group:everyone deny delete

drwxr-xr-x+ 11 test user 352 Apr 8 09:00 test

0: group:everyone deny delete

If the directory is not owned by the user, this is a finding.

If anyone other than the user has "write" permissions to the directory, this is a finding.

If the Access Control Entry listed is not "0: group:everyone deny delete", this is a finding.

Vulnerability Number

V-209607

Documentable

False

Rule Version

AOSX-14-002065

Severity Override Guidance

For each listing, with the exception of "Shared", verify that the directory is owned by the username, that only the owner has "write" permissions, and the correct Access Control Entry is listed.

To verify permissions on users' home directories, use the following command:

# ls -le /Users

drwxr-xr-x+ 12 Guest _guest 384 Apr 2 09:40 Guest

0: group:everyone deny delete

drwxrwxrwt 4 root wheel 128 Mar 28 05:53 Shared

drwxr-xr-x+ 13 admin staff 416 Apr 8 08:58 admin

0: group:everyone deny delete

drwxr-xr-x+ 11 test user 352 Apr 8 09:00 test

0: group:everyone deny delete

If the directory is not owned by the user, this is a finding.

If anyone other than the user has "write" permissions to the directory, this is a finding.

If the Access Control Entry listed is not "0: group:everyone deny delete", this is a finding.

Check Content Reference

M

Target Key

2930

Comments