OS X (Apple)

I'm writing scripts to check for compliance with the DISA STIG. Several items refer to manually click-click-clicking to verify settings regarding LDAP or accounts like guest account disabled, "Allow Guests to connect to shared folders", "Display login window as:", "Show input menu in login window", "Show password hints", fast user switching, password hints for each account, etc.

Where are these settings kept? Googling turns up a lot of questions, and few responses other than "well, this isn't very well documented". I've tried changing settings and then running a "find" looking for files modified in the last couple of minutes. No dice.

How do I locate these settings and dig them out from the command line?

dscl
id
odutil

I have no idea what DISA STIG is, or the specific items it is supposed to test for, but, just some suggestions...

Beyond the traditional /etc for system configurations, OS X uses preference files in xml or binary format located in /Library/Preferences. These files are usually operated on with the tools, defaults and PlistBuddy. Some of what you are looking for would be placed in the /Library/Preferences/loginwindow.plist

I haven't been able to find anything in /etc There's an /etc/openldap/ldap.conf but it's empty, even after I use the Directory Utility to create a bogus entry. Using find to look for any file modified within the past minute or two after using that utility also turns up nothing.

There's no such file as /Library/Preferences/loginwindow.plist There is no "loginwindow.plist" anywhere in /Library or /System/Library.

I'm really hoping for someone who KNOWS the answer. I can guess and poke around and experiment as much as anyone, but I can only spend so much time on trying to figure out the depthless mysteries of OS X :-P

---------- Post updated at 08:14 AM ---------- Previous update was at 08:04 AM ----------

Thanks, I'll look into those.

DISA STIGS

"The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems."

The specific items I'm trying to check:

Check Content:
Open Finder.
Click the Hard Drive icon.
Double Click System.
Double Click Library.
Double Click CoreServices.
Double Click Directory Utility.
Click the Show Advanced Options button.
Click Services tab.
Click the Lock and enter the password to unlock the options (if needed).
Click the LDAPv3 service.
Click the Pencil icon.
Highlight the Server Name/Configuration Name.
Click Edit.
Click the Connection tab and verify "Encrypt using SSL" is selected. If "Encrypt using SSL" is not selected, this is a finding.
Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, this is a finding.
Click on Security tab and verify the "Disable clear text passwords" is checked. If the value is not checked, this is a finding.
Click on Security tab and verify the "Digitally sign all packets (requires Kerberos) " is checked. If the value is not checked, this is a finding.
Click on Security tab and verify the "Encrypt all packets (requires SSL or Kerberos) " is checked. If the value is not checked, this is a finding.
Click on Security tab and verify the "Block man-in-the-middle attacks (requires Kerberos)" is checked. If the value is not checked, this is a finding.

Since that's all server config issues, I doubt that directory queries would return them. Those settings have to be stored somewhere local... I just need to find out where. Dunno what's wrong with plaintext config files!

dsconfigad -show

Can tell you whether the machine is/was configured and bound to AD, as well as some of the kerberos info you are looking for, in that context.

Thanks!!!

Is it safe to assume that if "dsconfigad -show" returns nothing, LDAP isn't configured at all and there is no finding? Or is it AD-specific?

Virtually everything "directory services" is handled by Apple's Directory Services or more currently, Open Directory.

Given AD is developed via Microsoft, and it therefore is a "different enough" version of LDAP, it has been given it's own plugin - dsconfigad.

The "odutil show all" command will be helpful with regard to checking various states of directory service on at least the two most current Mac OS X versions. I vaguely recall OD showing up in Snow Leopard first, but I could be mistaken...