kriterion 0.0.1

data/standards/stig_apple_os_x_10.8_mountain_lion_workstation.json

@@ -0,0 +1,1241 @@
+{
+  "name": "stig_apple_os_x_10.8_mountain_lion_workstation",
+  "date": "2015-02-10",
+  "description": "The Apple OS X 10.8 (Mountain Lion) Workstation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Apple OS X 10.8 (Mountain Lion) Workstation STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-51195",
+      "title": "The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.",
+      "description": "When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists.\n\nTo address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51231",
+      "title": "The login window must be configured to prompt for username and password, rather than show a list of users.",
+      "description": "The login window must be configured to prompt for username and password, rather than show a list of users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51233",
+      "title": "The ability for administrative accounts to unlock Screen Saver must be disabled.",
+      "description": "The ability for administrative accounts to unlock Screen Saver must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51235",
+      "title": "All core system files must have the correct permissions, ownership, and group-ownership assigned as originally installed.",
+      "description": "All core system files should have the correct permissions, ownership, and group-ownership assigned as originally installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51237",
+      "title": "User home directories must not have extended ACLs.",
+      "description": "User home directories must not have extended ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51239",
+      "title": "Device files and directories must only be writable by users with a system account or as configured by the vendor.",
+      "description": "Device files and directories must only be writable by users with a system account or as configured by the vendor.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51241",
+      "title": "The sudoers file must be configured to authenticate users on a per-tty basis.",
+      "description": "Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits authorization to the terminal in which authentication occurred.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51243",
+      "title": "The sudoers file must be configured to require authentication on every use.",
+      "description": "Do not allow direct root login because the logs cannot identify which administrator logged in. Instead, log in using accounts with administrator privileges, and then use the sudo command to perform actions as root. This limits the use of the sudo command to a single command per authentication.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51245",
+      "title": "All files and directories contained in user home directories must be group-owned by a group of which the home directorys owner is a member.",
+      "description": "All files and directories contained in user home directories must be group-owned by a group of which the home directory's owner is a member. Check the contents of user home directories for files group-owned by a group where the home directory's owner is not a member.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51247",
+      "title": "All files and directories contained in interactive user home directories must be owned by the home directorys owner.",
+      "description": "All files and directories contained in interactive user home directories must be owned by the home directory's owner.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51249",
+      "title": "The default global umask setting must be changed for user applications.",
+      "description": "The default global umask setting must be changed for user applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51251",
+      "title": "The default global umask setting must be changed for system processes.",
+      "description": "The default global umask setting must be configured correctly for system processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51253",
+      "title": "Local logging must be enabled.",
+      "description": "Local logging must be enabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51255",
+      "title": "Newsyslog must be correctly configured to rotate log files.",
+      "description": "Newsyslog needs to be correctly configured to rotate log files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51257",
+      "title": "Administrator accounts must be created with difficult-to-guess names.",
+      "description": "Administrator accounts must be created with difficult-to-guess names.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51259",
+      "title": "The system must not use .forward files.",
+      "description": "The system must not use .forward files.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51261",
+      "title": "Active Directory Access must be securely configured to sign all packets.",
+      "description": "Active Directory Access must be securely configured to sign all packets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51263",
+      "title": "Active Directory Access must be securely configured to encrypt all packets.",
+      "description": "Active Directory Access must be securely configured to encrypt all packets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51265",
+      "title": "iTunes Store must be disabled.",
+      "description": "iTunes Store must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51267",
+      "title": "An Emergency Administrator Account must be created.",
+      "description": "An Emergency Administrator Account must be created. Interview the SA to determine if an emergency administrator account exists and is stored with its password in a secure location.  This emergency account should have a UID less than \"500\", and be hidden from view.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51269",
+      "title": "The root account must be the only account having a UID of 0.",
+      "description": "The root account must be the only account having a UID of \"0\".",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51271",
+      "title": "Finder must be set to always empty Trash securely.",
+      "description": "Finder must be set to always empty Trash securely. In Mac OS X Finder can be configured to always securely erase items placed in the Trash. This prevents data placed in the Trash from being restored.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51273",
+      "title": "The application firewall must be enabled.",
+      "description": "The application firewall must be enabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51275",
+      "title": "The system must not be allowed to restart after a power failure.",
+      "description": "The system must not be allowed to restart after a power failure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51277",
+      "title": "Fast User Switching must be disabled.",
+      "description": "Fast User Switching must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51279",
+      "title": "Kernel core dumps must be disabled unless needed.",
+      "description": "Kernel core dumps must be disabled unless needed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51281",
+      "title": "All public directories must be owned by root or an application account.",
+      "description": "All public directories must be owned by root or an application account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51283",
+      "title": "The system must not have the finger service active.",
+      "description": "The system must not have the finger service active.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51285",
+      "title": "The sticky bit must be set on all public directories.",
+      "description": "The sticky bit must be set on all public directories.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51287",
+      "title": "The prompt for Apple ID and iCloud must be disabled.",
+      "description": "The prompt for Apple ID and iCloud must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51289",
+      "title": "Users must not have Apple IDs signed into iCloud.",
+      "description": "Users should not have Apple ID's signed into iCloud.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51291",
+      "title": "Spotlight Panel must be securely configured.",
+      "description": "Spotlight Panel must be securely configured.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51293",
+      "title": "iTunes Music Sharing must be disabled.",
+      "description": "iTunes Music Sharing must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51295",
+      "title": "All setuid executables on the system must be vendor-supplied.",
+      "description": "All files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs allowing reading and writing of files, or shell escapes. Only default vendor-supplied executables should have the setuid bit set.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51297",
+      "title": "iTunes Radio must be disabled.",
+      "description": "iTunes Radio must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51299",
+      "title": "iTunes Podcasts must be disabled.",
+      "description": "iTunes Podcasts must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51301",
+      "title": "Unnecessary packages must not be installed.",
+      "description": "Unnecessary packages must not be installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51303",
+      "title": "The centralized process core dump data directory must be owned by root.",
+      "description": "The centralized process core dump data directory must be owned by root.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51305",
+      "title": "The centralized process core dump data directory must have mode 0750 or less permissive.",
+      "description": "The centralized process core dump data directory must have mode \"0750' or less permissive.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51307",
+      "title": "The centralized process core dump data directory must be group-owned by admin.",
+      "description": "The centralized process core dump data directory must be group-owned by admin.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51309",
+      "title": "The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.",
+      "description": "The system must not respond to Internet Control Message Protocol [ICMPv4] echoes sent to a broadcast address.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51311",
+      "title": "The system must not accept source-routed IPv4 packets.",
+      "description": "The system must not accept source-routed IPv4 packets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51313",
+      "title": "The system must ignore IPv4 ICMP redirect messages.",
+      "description": "The system must ignore IPv4 ICMP redirect messages.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51315",
+      "title": "IP forwarding for IPv4 must not be enabled, unless the system is a router.",
+      "description": "IP forwarding for IPv4 must not be enabled, unless the system is a router.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51317",
+      "title": "The system must not send IPv4 ICMP redirects by default.",
+      "description": "The system must not send IPv4 ICMP redirects by default.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51319",
+      "title": "The system must prevent local applications from generating source-routed packets.",
+      "description": "The system must prevent local applications from generating source-routed packets.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51321",
+      "title": "The system must not process Internet Control Message Protocol [ICMP] timestamp requests.",
+      "description": "The system must not process Internet Control Message Protocol [ICMP] timestamp requests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51323",
+      "title": "Audio recording support software must be disabled.",
+      "description": "Audio recording support software must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51325",
+      "title": "Unused network devices must be disabled.",
+      "description": "Unused network devices must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51327",
+      "title": "Stealth Mode must be enabled on the firewall.",
+      "description": "Stealth Mode must be enabled on the firewall.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51329",
+      "title": "Secure virtual memory must be used.",
+      "description": "Secure virtual memory must be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51331",
+      "title": "The Operating System must be current and at the latest release level.",
+      "description": "The Operating System must be current and at the latest release level. If an OS is at an unsupported release level, this will be upgraded to a Category I finding since new vulnerabilities may not be patched.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51333",
+      "title": "The CRLStyle option must be set correctly.",
+      "description": "A trust anchor is an authoritative entity represented via a public key and associated data. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51339",
+      "title": "A host-based firewall must be installed.",
+      "description": "Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation on the public internet.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51341",
+      "title": "System Preferences must be securely configured so IPv6 is turned off if not being used.",
+      "description": "System Preferences must be securely configured so IPv6 is turned off if not being used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51343",
+      "title": "DoD proxies must be configured on all active network interfaces.",
+      "description": "A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network.   This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to; the proxy server is in the middle handling both sides of the session.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51347",
+      "title": "The SSH daemon ClientAliveInterval option must be set correctly.",
+      "description": "This requirement applies to both internal and external networks. \n\nTerminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level.\n\nThe time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51351",
+      "title": "The SSH daemon ClientAliveCountMax option must be set correctly.",
+      "description": "This requirement applies to both internal and external networks. \n\nTerminating network connections associated with communications sessions means de-allocating associated TCP/IP address/port pairs at the operating system level.\n\nThe time period of inactivity may, as the organization deems necessary, be a set of time periods by type of network access or for specific accesses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51353",
+      "title": "The SSH daemon LoginGraceTime must be set correctly.",
+      "description": "LoginGraceTime must be securely configured in /etc/sshd_config.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51355",
+      "title": "The FIPS administrative and cryptographic modules must be installed correctly.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. \n\nUse of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51359",
+      "title": "Video recording support software must be disabled.",
+      "description": "Video recording support software must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51365",
+      "title": "The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.",
+      "description": "For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. \n\nFor federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. \n\nThis control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51367",
+      "title": "The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.",
+      "description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. \n\nXprotect Update needs to be running.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51371",
+      "title": "The operating system must protect the confidentiality and integrity of information at rest.",
+      "description": "This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive). The operating system must ensure the data being written to these devices is protected. In most cases, this is done via encryption.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51373",
+      "title": "The operating system must employ automated mechanisms or must have an application installed that on an organization-defined frequency  determines the state of information system components with regard to flaw remediation.",
+      "description": "Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. \n\nThis role is usually assigned to patch management software deployed in order to track the number of systems installed in the network, as well as, the types of software installed on these systems, the corresponding versions and the related flaws that require patching. \n\nFrom an operating system requirement perspective, the operating system must perform this or there must be an application installed performing this function.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51377",
+      "title": "The operating system must support automated patch management tools to facilitate flaw remediation to organization-defined information system components.",
+      "description": "The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, must also be addressed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51381",
+      "title": "System log files must be owned by root:wheel.",
+      "description": "If the operating system provides too much information in error logs and administrative messages to the screen it could lead to compromise. The structure and content of error messages need to be carefully considered by the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51385",
+      "title": "System log files must have the correct permissions.",
+      "description": "System log files should have the correct permissions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51387",
+      "title": "System log files must not contain ACLs.",
+      "description": "System log files should not contain ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51389",
+      "title": "The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.",
+      "description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. \n\nAutomated alarming mechanisms provide the appropriate personnel with the capability to immediately respond and react to events categorized as unusual or having security implications that could be detrimental to system and/or organizational security.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51393",
+      "title": "The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.",
+      "description": "Protection of log data includes assuring the log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51395",
+      "title": "The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.",
+      "description": "Requirement applies to publicly accessible systems.  System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51397",
+      "title": "The operating system must employ automated mechanisms to centrally manage configuration settings.",
+      "description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Rather than visiting each system when making configuration changes, organizations must employ automated tools that can make changes across all systems. This greatly increases efficiency and manageability of applications in a large scale environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51399",
+      "title": "The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
+      "description": "This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51401",
+      "title": "The operating system must enforce requirements for remote connections to the information system.",
+      "description": "The organization will define the requirements for connection of remote connections.  In order to ensure the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51403",
+      "title": "The operating system must enforce requirements for remote connections to the information system.",
+      "description": "Screen Sharing must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51405",
+      "title": "The operating system must automatically audit account modification.",
+      "description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. \n\nAuditing of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of user accounts and, as required, notifies appropriate individuals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51407",
+      "title": "The operating system must automatically audit account disabling actions.",
+      "description": "When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and respond to events affecting user accessibility and operating system processing, the operating system must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51409",
+      "title": "The operating system must automatically audit account termination.",
+      "description": "Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The operating system must audit and notify, as required, to mitigate the Denial of Service risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51411",
+      "title": "The system firewall must be configured with a default-deny policy.",
+      "description": "Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. \nInformation flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. \n\nFlow control is based on the characteristics of the information and/or the information path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51413",
+      "title": "Internet Sharing must be disabled.",
+      "description": "Internet Sharing must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51415",
+      "title": "Web Sharing must be disabled.",
+      "description": "Web Sharing must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51417",
+      "title": "The rsh service must be disabled.",
+      "description": "Some networking protocols may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities. Based on that assessment some may be deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51419",
+      "title": "The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51421",
+      "title": "The operating system must use cryptography to protect the integrity of remote access sessions.",
+      "description": "Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. \n\nIf cryptography is not used to protect these sessions, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51425",
+      "title": "The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.",
+      "description": "Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. \n\nRemote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any operating system providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51427",
+      "title": "The operating system must protect audit tools from unauthorized access.",
+      "description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. \n\nIt is imperative that access to audit tools be controlled and protected from unauthorized access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51429",
+      "title": "The operating system must protect audit tools from unauthorized modification.",
+      "description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. \n\nIf the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative that audit tools be controlled and protected from unauthorized modification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51431",
+      "title": "The operating system must protect audit tools from unauthorized deletion.",
+      "description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data.  If the tools are deleted, it would affect the administrator's ability to access and review log data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51433",
+      "title": "The operating system must limit privileges to change software resident within software libraries (including privileged programs).",
+      "description": "When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. \n\nOnly qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51435",
+      "title": "The operating system must take corrective actions, when unauthorized mobile code is identified.",
+      "description": "Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. \n\nMobile code technologies include Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51437",
+      "title": "The operating system must support the requirement to automatically audit on account creation.",
+      "description": "Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of reestablishing access. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and if required notifies administrators. Such a process greatly reduces the risk of accounts being created outside the normal approval process and provides logging that can be used for forensic purposes. Additionally, the audit records of account creation can be compared to the known approved account creation list.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51439",
+      "title": "The Bluetooth protocol driver must be removed.",
+      "description": "Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can be accessed.  The organization will define the requirements for connection of mobile devices.  In order to ensure that the connection provides adequate integrity and confidentiality of the connection, the operating system must enforce these requirements.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51441",
+      "title": "Wi-Fi support software must be disabled.",
+      "description": "Wi-Fi support software must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51443",
+      "title": "The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.",
+      "description": "The auditing system must be configured to audit authentication and authorization events.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51445",
+      "title": "Bluetooth devices must not be allowed to wake the computer.",
+      "description": "Bluetooth devices must not be allowed to wake the computer. If Bluetooth is not required, turn it off. If Bluetooth is necessary, disable allowing Bluetooth devices to awake the computer.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51447",
+      "title": "Bluetooth Sharing must be disabled.",
+      "description": "Bluetooth Sharing must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51449",
+      "title": "The operating system must display the DoD-approved system use notification message or banner before granting access to the system.",
+      "description": "The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system.  This ensures all the legal requirements are met as far as auditing and monitoring are concerned.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51451",
+      "title": "The auditing tool, praudit, must be the one provided by Apple, Inc.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what was attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment.  Cryptographic mechanisms must be used to protect the integrity of the audit tools used for audit reduction and reporting.  The auditing tool, praudit,  should be the one provided by Apple, Inc.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51453",
+      "title": "The input menu must not be shown in the login window.",
+      "description": "Input menu must not be shown in login window.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51455",
+      "title": "The auditing tool, auditreduce, must be the one provided by Apple, Inc.",
+      "description": "The auditing tool, auditreduce, should be the one provided by Apple, Inc.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51457",
+      "title": "The auditing tool, audit, must be the one provided by Apple, Inc.",
+      "description": "The auditing tool, audit, should be the one provided by Apple, Inc.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51459",
+      "title": "The operating system, upon successful logon, must display to the user the date and time of the last logon (access).",
+      "description": "Users need to be aware of activity that occurs regarding their  account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51461",
+      "title": "The auditing tool, auditd, must be the one provided by Apple, Inc.",
+      "description": "The auditing tool, auditd, should be the one provided by Apple, Inc.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51463",
+      "title": "Shared User Accounts must be disabled.",
+      "description": "Shared User Accounts must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51465",
+      "title": "The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.",
+      "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of the absence. \n\nOnce invoked, the session lock shall remain in place until the user reauthenticates. No other system activity aside from reauthentication can unlock the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51467",
+      "title": "A password must be required to unlock each System Preference Pane.",
+      "description": "A password must be required to access locked System Preferences.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51469",
+      "title": "Automatic logout due to inactivity must be disabled.",
+      "description": "Automatic logout due to inactivity must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51471",
+      "title": "Automatic login must be disabled.",
+      "description": "Automatic login must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51473",
+      "title": "The operating system must initiate a session lock after the organization-defined time period of inactivity.",
+      "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the  system but does not log out because of the temporary nature of the absence. \n\nThe organization defines the period of inactivity to pass before a session lock is initiated, so this must be configurable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51475",
+      "title": "The ability to use corners to disable the screen saver must be disabled.",
+      "description": "The ability to use corners to disable the screen saver must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51477",
+      "title": "The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.",
+      "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the  system but does not log out because of the temporary nature of the absence. \n\nThe session lock will also include an obfuscation of the display screen to prevent other users from reading what was previously displayed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51479",
+      "title": "The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
+      "description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.   \n\nRemote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  \n\nAutomated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51481",
+      "title": "The rexec service must be disabled.",
+      "description": "Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.  These connections will occur over the public Internet.  \n\nRemote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  \n\nUsing cryptography ensures confidentiality of the remote access connections.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51483",
+      "title": "The operating system must monitor for unauthorized connections of mobile devices to organizational information systems.",
+      "description": "Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). \n\nOrganization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements.\n\nUsage restrictions and implementation guidance related to mobile devices include, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).\n\nIn order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51485",
+      "title": "Automatic actions must be disabled for blank CDs.",
+      "description": "Automatic actions must be disabled for blank CDs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51487",
+      "title": "Automatic actions must be disabled for blank DVDs.",
+      "description": "Automatic actions must be disabled for blank DVDs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51489",
+      "title": "Automatic actions must be disabled for music CDs.",
+      "description": "Automatic actions must be disabled for music CDs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51491",
+      "title": "Automatic actions must be disabled for video DVDs.",
+      "description": "Automatic actions must be disabled for video DVDs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51493",
+      "title": "The operating system must allocate audit record storage capacity.",
+      "description": "Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.\n\nIt is imperative the operating system configured, allocate storage capacity to contain audit records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51495",
+      "title": "The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.",
+      "description": "Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.\n\nCare must be taken to evaluate that the audit records being produced do not exceed the storage capacity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51497",
+      "title": "The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).",
+      "description": "It is critical when a system is at risk of failing to process audit logs, as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nIn order for the audit control system to shut down when an audit processing failure occurs, the setting \"ahlt\" must be configured.  The default setting is \"cnt\" which allows the system to continue running in the event of an audit processing failure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51499",
+      "title": "The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.",
+      "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nIf audit log capacity were to be exceeded then events that subsequently occur will not be recorded.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51501",
+      "title": "The operating system must provide a real-time alert when organization-defined audit failure events occur.",
+      "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nOrganizations must define audit failure events requiring an application to send an alarm. When those defined events occur, the application will provide a real-time alert to the appropriate personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51507",
+      "title": "The operating system must employ cryptographic mechanisms to protect information in storage.",
+      "description": "When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. \n\nAn organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. \n\nFewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51509",
+      "title": "The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.",
+      "description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51511",
+      "title": "The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.",
+      "description": "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n\nThe act of managing systems includes the ability to access system configuration details, diagnostic information, user information, as well as installation of software.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51515",
+      "title": "The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.",
+      "description": "When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51519",
+      "title": "The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
+      "description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nTechniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51523",
+      "title": "The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.",
+      "description": "An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nTechniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51527",
+      "title": "The root account must be disabled for interactive use.",
+      "description": "The root account must be disabled for interactive use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51529",
+      "title": "The SSH PermitRootLogin option must be set correctly.",
+      "description": "To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. \n\nUsers (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the operating system without identification or authentication.\n\nRequiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as, adding an additional level of protection of the actions that can be taken with group account knowledge.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51531",
+      "title": "End users must not be able to override Gatekeeper settings.",
+      "description": "Gatekeeper settings must be configured correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51535",
+      "title": "The system must allow only applications downloaded from the App Store to run.",
+      "description": "Gatekeeper settings must be configured correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51537",
+      "title": "A configuration profile must exist to restrict launching of applications.",
+      "description": "The operating system must enforce software installation by users based upon  what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51539",
+      "title": "The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency that are consistent with recovery time and recovery point objectives.",
+      "description": "Operating system backup is a critical step in maintaining data assurance and availability. \n\nSystem-level information includes system-state information, operating system and application software, and licenses. \n\nBackups must be consistent with organizational recovery time and recovery point objectives.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51541",
+      "title": "The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency consistent with recovery time and recovery point objectives.",
+      "description": "Operating  system backup is a critical step in maintaining data assurance and availability. \n\nUser-level information is data generated by information system and/or application users.\n\nBackups shall be consistent with organizational recovery time and recovery point objectives.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51543",
+      "title": "Airdrop must be disabled.",
+      "description": "Airdrop must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51547",
+      "title": "The system must not have the UUCP service active.",
+      "description": "The system must not have the UUCP service active.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51549",
+      "title": "Bonjour multicast advertising must be disabled on the system.",
+      "description": "Bonjour multicast advertising must be disabled on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51551",
+      "title": "Location Services must be disabled.",
+      "description": "Location Services must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51553",
+      "title": "Find My Mac messenger must be disabled.",
+      "description": "Find My Mac messenger must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51555",
+      "title": "Find My Mac must be disabled.",
+      "description": "Find My Mac must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51557",
+      "title": "Sending diagnostic  and usage data to Apple must be disabled.",
+      "description": "Sending diagnostic and usage data to Apple must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51559",
+      "title": "Remote Apple Events must be disabled.",
+      "description": "Remote Apple Events must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51561",
+      "title": "The system preference panel iCloud must be removed.",
+      "description": "The system preference panel iCloud must be removed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51565",
+      "title": "The application Mail must be removed.",
+      "description": "The application Mail must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51567",
+      "title": "The application Contacts must be removed.",
+      "description": "The application Contacts must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51569",
+      "title": "The application Calendar must be removed.",
+      "description": "The application Calendar must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51571",
+      "title": "The application App Store must be removed.",
+      "description": "The application App Store must be removed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51575",
+      "title": "The application image capture must be removed.",
+      "description": "The application Image Capture must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51579",
+      "title": "The application Messages must be removed.",
+      "description": "The application Messages must be removed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51581",
+      "title": "The application iTunes must be removed.",
+      "description": "The application iTunes must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51583",
+      "title": "The application Game Center must be disabled.",
+      "description": "The application Game Center must be disabled.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51593",
+      "title": "The application Game Center must be removed.",
+      "description": "The application Game Center must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51595",
+      "title": "The application FaceTime must be removed.",
+      "description": "The application FaceTime must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51597",
+      "title": "The application Chess must be removed.",
+      "description": "The application Chess must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51601",
+      "title": "The application PhotoBooth must be removed.",
+      "description": "The application Photo Booth must be removed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51603",
+      "title": "Application Restrictions must be enabled.",
+      "description": "Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions) and will reduce the attack surface of the operating system.  End-users should be restricted to running only approved applications.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51605",
+      "title": "The racoon daemon must be disabled.",
+      "description": "Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization.\n\nThe operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.\n\nThe IKE service, racoon, should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51609",
+      "title": "The NFS stat daemon must be disabled.",
+      "description": "Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization.\n\nThe operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.\n\nNFS should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51619",
+      "title": "The NFS lock daemon must be disabled.",
+      "description": "Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization.\n\nThe operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.\n\nNFS should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51621",
+      "title": "The system must be configured to set the time automatically from a network time server.",
+      "description": "The system must be configured to set the time automatically from a network time server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-51623",
+      "title": "The network time server must be an authorized DoD time source.",
+      "description": "The system must be configured to set the time automatically from a network time server.  The network time server must be an authorized DoD time source.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51625",
+      "title": "Audit Log files must have the correct permissions.",
+      "description": "If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. Audit Log files should have the correct permissions.\n\nTo ensure the veracity of audit data the operating system  must protect audit information from unauthorized access.  \n\nThis requirement can be achieved through multiple methods which will depend upon system architecture and design.  Some commonly employed methods include ensuring log files have the proper file system permissions utilizing file system protections and limiting log data location. \n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51627",
+      "title": "Audit log files must be owned by root:wheel.",
+      "description": "Audit log files should be owned by root:wheel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51629",
+      "title": "The NFS daemon must be disabled.",
+      "description": "Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization.\n\nThe operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.\n\nNFS should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51631",
+      "title": "Audit log files must not contain ACLs.",
+      "description": "Audit log files should not contain ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51633",
+      "title": "Apple File Sharing must be disabled.",
+      "description": "Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization.\n\nThe operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51635",
+      "title": "Audit Log files must have the correct permissions.",
+      "description": "If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data the operating system  must protect audit information from unauthorized modification.  \n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51639",
+      "title": "The operating system must employ automated mechanisms to centrally verify configuration settings.",
+      "description": "Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. \n\nRather than visiting each and every system when verifying  configuration changes, organizations will employ automated tools that can make changes across all systems.  This greatly increases efficiency and manageability of applications in a large scale environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51641",
+      "title": "Audit log files must be owned by root:wheel.",
+      "description": "Audit log files should be owned by root:wheel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51643",
+      "title": "The audit log folder must be owned by root:wheel.",
+      "description": "If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design. \n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51645",
+      "title": "Configuration profiles must be applied to the system.",
+      "description": "Configuration settings are the configurable security-related parameters of the operating system.  \n\nSecurity-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. \n\nRather than visiting each and every system when making  configuration changes, organizations will employ automated tools that can make changes across all systems.  This greatly increases efficiency and manageability of applications in a large scale environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51647",
+      "title": "The audit log folder must have the correct permissions.",
+      "description": "The audit log folder should have correct permissions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51651",
+      "title": "The audit log folder must not have ACLs.",
+      "description": "The audit log folder should not have ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51653",
+      "title": "The audit log folder must have correct permissions.",
+      "description": "Non-repudiation of actions taken is required in order to maintain  integrity. To do this, we will prevent users from modifying the audit logs.\n\nNon-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51655",
+      "title": "The Security assessment policy subsystem must be enabled.",
+      "description": "Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAccordingly, software defined by the organization as critical software must be signed with a certificate that is recognized and approved by the organization.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51657",
+      "title": "The audit log folder must be owned by root:wheel.",
+      "description": "Non-repudiation of actions taken is required in order to maintain  integrity. To do this, we will prevent users from modifying the audit logs.\n\nNon-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51659",
+      "title": "The audit log folder must be owned by root:wheel.",
+      "description": "Non-repudiation of actions taken is required in order to maintain  integrity. To do this, we will prevent users from modifying the audit logs.\n\nNon-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51663",
+      "title": "The password-related hint field must not be used.",
+      "description": "The password-related hint field must not be used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51665",
+      "title": "The audit log folder must have correct permissions.",
+      "description": "Non-repudiation of actions taken is required in order to maintain  integrity. To do this, we will prevent users from modifying the audit logs.\n\nNon-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked a specific command, or copied a specific file.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51667",
+      "title": "The audit log files must not contain ACLs.",
+      "description": "The audit log files should not contain ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51671",
+      "title": "The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.",
+      "description": "The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events) for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51673",
+      "title": "The flags option must be set in /etc/security/audit_control.",
+      "description": "The list of audited events is the set of events for which audits are to be generated. \n\nThis set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51675",
+      "title": "The operating system must enforce minimum password length.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. \n\nPassword length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51677",
+      "title": "The OS X firewall must have logging enabled.",
+      "description": "Firewall logging must be enabled.  This requirement is NA if HBSS is used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51679",
+      "title": "The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.",
+      "description": "Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). \n\nThe events that occur must be time-correlated in order to conduct accurate forensic analysis.  In addition, the correlation must meet a certain tolerance criteria.  \n\nThe operating system must be able to have audit events correlated to the level of tolerance determined by the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51681",
+      "title": "The OCSPStyle option must be set correctly.",
+      "description": "A trust anchor is an authoritative entity represented via a public key and associated data. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51683",
+      "title": "The OCSPSufficientPerCert option must be set correctly.",
+      "description": "A trust anchor is an authoritative entity represented via a public key and associated data. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51685",
+      "title": "The RevocationFirst option must be set correctly.",
+      "description": "A trust anchor is an authoritative entity represented via a public key and associated data. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51687",
+      "title": "The telnet service must be disabled.",
+      "description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.",
+      "severity": "high"
+    },
+    {
+      "id": "V-51689",
+      "title": "There must be no .netrc files on the system.",
+      "description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access.  There must be no \".netrc\" files on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51691",
+      "title": "The CRLSufficientPerCert option must be set correctly.",
+      "description": "A trust anchor is an authoritative entity represented via a public key and associated data. \n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for example, a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nPath validation is necessary for a relying party to make an informed trust decision when presented with any certificate that is not already explicitly trusted. \n\nStatus information for certification paths includes, certificate revocation lists or online certificate status protocol responses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51785",
+      "title": "The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.",
+      "description": "Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51845",
+      "title": "Automatic actions must be disabled for picture CDs.",
+      "description": "Automatic actions must be disabled for picture CDs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51847",
+      "title": "Bluetooth support software must be disabled.",
+      "description": "Bluetooth support software must be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-51929",
+      "title": "Infrared [IR] support must be removed.",
+      "description": "Infrared [IR] support must be removed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53857",
+      "title": "The FireWire protocol driver must be removed or disabled.",
+      "description": "Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. \n\nIn order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53859",
+      "title": "The USB mass storage driver must be removed or disabled.",
+      "description": "Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. \n\nIn order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53861",
+      "title": "The Apple Storage Drivers must be removed or disabled.",
+      "description": "Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. \n\nIn order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53863",
+      "title": "The iPod Driver must be removed.",
+      "description": "Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. \n\nIn order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53865",
+      "title": "All users must use PKI authentication for login and privileged access.",
+      "description": "Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emergency access to a system for maintenance is acceptable, however.)",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53867",
+      "title": "The system must be integrated into a directory services infrastructure.",
+      "description": "Distinct user account databases on each separate system cause problems with username and password policy enforcement. Most approved directory services infrastructure solutions, such as Active Directory, allow centralized management of users and passwords.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53869",
+      "title": "The usbmuxd daemon must be disabled.",
+      "description": "Connections to unauthorized iOS devices (iPhones, iPods, and iPads) open the system to possible compromise via exfiltration of system data. Disabling the usbmuxd daemon blocks connections to iOS devices.",
+      "severity": "medium"
+    }
+  ]
+}