STIGQter STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The macOS system must set permissions on user home directories to prevent users from having access to read or modify another user's files.

DISA Rule

SV-230827r599842_rule

Vulnerability Number

V-230827

Group Title

SRG-OS-000480-GPOS-00228

Rule Version

APPL-11-002068

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure the appropriate permissions are set for each user on the system, run the following command:

diskutil resetUserPermissions / userid, where userid is the user name for the user whose home directory permissions need to be repaired.

Check Contents

To verify that permissions are set correctly on user home directories, use the following commands:

ls -le /Users

Should return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions should be:
"drwxr-xr-x+" with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which should be:
0: group:everyone deny delete

For every authorized user account, also run the following command:
/usr/bin/sudo ls -le /Users/userid, where userid is an existing user.

This command will return the permissions of all of the objects under the users' home directory. The permissions for each of the subdirectories should be:
drwx------+
0: group:everyone deny delete

With the exception of the "Public" directory, whose permissions should match the following:
drwxr-xr-x+
0: group:everyone deny delete

If the permissions returned by either of these checks differ from what is shown, this is a finding.

Vulnerability Number

V-230827

Documentable

False

Rule Version

APPL-11-002068

Severity Override Guidance

To verify that permissions are set correctly on user home directories, use the following commands:

ls -le /Users

Should return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions should be:
"drwxr-xr-x+" with the user listed as the owner and the group listed as "staff". The plus(+) sign indicates an associated Access Control List, which should be:
0: group:everyone deny delete

For every authorized user account, also run the following command:
/usr/bin/sudo ls -le /Users/userid, where userid is an existing user.

This command will return the permissions of all of the objects under the users' home directory. The permissions for each of the subdirectories should be:
drwx------+
0: group:everyone deny delete

With the exception of the "Public" directory, whose permissions should match the following:
drwxr-xr-x+
0: group:everyone deny delete

If the permissions returned by either of these checks differ from what is shown, this is a finding.

Check Content Reference

M

Target Key

5246

Comments