usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
5acbdbd21e8397cdb0a6fb80e7b1dc5c3397b7c0
macos_security/rules/os/os_home_folders_default.yaml
Dan Brodjieski 5acbdbd21e chore: clean up extraneous trailing whitespace
2023-09-14 14:21:06 -04:00

60 lines
2.2 KiB
YAML
Raw Blame History

id: os_home_folders_default
title: "Configure User's Home Folders to Apple's Default"
discussion: |
The system _MUST_ be configured to prevent access to other user's home folders.
Configuring the operating system to use the most restrictive permissions possible for user home directories helps to protect against inadvertent disclosures.
check: |-
Verify the macOS system is configured so that permissions are set correctly on user home directories with the following commands:
/bin/ls -le /Users
This command will return a listing of the permissions of the root of every user account configured on the system. For each of the users, the permissions must be "drwxr-xr-x+", with the user listed as the owner and the group listed as \"staff\". The plus(+) sign indicates an associated Access Control List, which must be:
0: group:everyone deny delete
For every authorized user account, also run the following command:
/usr/bin/sudo /bin/ls -le /Users/userid, where userid is an existing user.
This command will return the permissions of all the objects under the users' home directory. The permissions for each of the subdirectories must be:
drwx------+
0: group:everyone deny delete
The exception is the \"Public\" directory, whose permissions must match the following:
drwxr-xr-x+
0: group:everyone deny delete
If the permissions returned by either of these checks differ from what is shown, this is a finding.
result: ""
fix: |-
Configure the macOS system to set the appropriate permissions for each user on the system with the following command:
`/usr/sbin/diskutil resetUserPermissions / DeviceNode UID`, where "DeviceNode UID" is the ID number for the user whose home directory permissions need to be repaired.
NOTE: Using the `/usr/sbin/diskutil resetUserPermissions` command will only reset the permissions on the default folder set. Other folders in the home directory will not be affected.
references:
cce:
- CCE-92803-6
cci:
- CCI-000366
800-53r5:
- AC-6
800-53r4:
- AC-6
srg:
- SRG-OS-000480-GPOS-00228
disa_stig:
- N/A
800-171r2:
- N/A
cis:
benchmark:
- N/A
controls v8:
- N/A
macOS:
- "14.0"
tags:
- manual
severity: "medium"
mobileconfig: false
mobileconfig_info:
Reference in New Issue View Git Blame Copy Permalink