ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-268424
- Rule Version
- APPL-15-000007
- Rule Title
- The macOS system must disable hot corners.
- Rule ID
- SV-268424r1034212_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Hot corners must be disabled.
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Although hot corners can be used to initiate a session lock or to launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to disable hot corners with the following command:
/usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '"wvous-bl-corner" = 0|"wvous-br-corner" = 0|"wvous-tl-corner" = 0|"wvous-tr-corner" = 0'
If the result is not "4", this is a finding.
- Check System
- C-72454r1034210_chk
- Fix Reference
- F-72355r1034211_fix
- Fix Text
-
Configure the macOS system to disable hot corners by installing the "com.apple.ManagedClient.preferences" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1
- Group Title
- SRG-OS-000031-GPOS-00012
- Group ID
- V-268425
- Rule Version
- APPL-15-000009
- Rule Title
- The macOS system must prevent AdminHostInfo from being available at LoginWindow.
- Rule ID
- SV-268425r1034215_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo, when configured, will allow the HostName, IP Address, and operating system version and build to be displayed.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to prevent AdminHostInfo from being available at LoginWindow with the following command:
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectIsForcedForKey('AdminHostInfo')
EOS
If the result is not "false", this is a finding.
- Check System
- C-72455r1034213_chk
- Fix Reference
- F-72356r1034214_fix
- Fix Text
-
Configure the macOS system to prevent AdminHostInfo from being available at LoginWindow by installing the "com.apple.loginwindow" configuration profile.
- Identities
-
CCI-000060
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- 800-53 :: AC-11 (1)
- 800-53 Rev. 4 :: AC-11 (1)
- 800-53 Rev. 5 :: AC-11 (1)
- 800-53A :: AC-11 (1).1