From c384f33ecddf707f5fde4e316196c372a7448381 Mon Sep 17 00:00:00 2001 From: Dan Brodjieski Date: Mon, 12 Jun 2023 14:08:41 -0400 Subject: [PATCH] refactor[rule]: added rule for default home dirs Moving this rule to a manual check for the STIG --- rules/os/os_home_folders_default.yaml | 59 +++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/os/os_home_folders_default.yaml diff --git a/rules/os/os_home_folders_default.yaml b/rules/os/os_home_folders_default.yaml new file mode 100644 index 00000000..677f1c24 --- /dev/null +++ b/rules/os/os_home_folders_default.yaml @@ -0,0 +1,59 @@ +id: os_home_folders_default +title: "Configure User's Home Folders to Apple's Default" +discussion: | + The system _MUST_ be configured to prevent access to other user's home folders. + + Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures. +check: |- + Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands: + /bin/ls -le /Users + + This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be: + 0: group:everyone deny delete + + For every authorized user account, also run the following command: + /usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user. + + This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be: + drwx------+ + 0: group:everyone deny delete + + The exception is the \"Public\" directory, whose permissions must match the following: + + drwxr-xr-x+ + 0: group:everyone deny delete + + If the permissions returned by either of these checks differ from what is shown, this is a finding. +result: "" +fix: |- + Configure the macOS system to set the appropriate permissions for each user on the system with the following command: + + /usr/sbin/diskutil resetUserPermissions / DeviceNode UID, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired. +references: + cce: + - N/A + cci: + - CCI-000366 + 800-53r5: + - AC-6 + 800-53r4: + - AC-6 + srg: + - SRG-OS-000480-GPOS-00228 + disa_stig: + - APPL-13-002068 + 800-171r2: + - N/A + cis: + benchmark: + - N/A + controls v8: + - N/A +macOS: + - "13.0" +tags: + - manual + - stig +severity: "medium" +mobileconfig: false +mobileconfig_info: \ No newline at end of file