New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CCE-28311-9] external_accounts #13

Closed
macosforgebot opened this Issue Jun 3, 2013 · 4 comments

Comments

@macosforgebot
Copy link

macosforgebot commented Jun 3, 2013

@DewSecGitHub originally submitted this as ticket:12

  • Version: Beta
  • Keywords: Settings, Review

CCE#: CCE-28311-9
Setting Name: external_accounts
Description:
The setting controls whether external accounts, which are defined and stored on "other" media (such as USB drives or specified disk partitions), are allowed to be active on a system.

Parameters: N / A
Technical Mechanism: In loginwindow.plist, set the EnableExternalAccounts key = false to disable external accounts. If the key does not exist, external accounts are allowed.

Reference: http://manuals.info.apple.com/en_US/UserMgmt_v10.6.pdf

Function: Authentication

Rationale: This is a convenient feature but could expose data stored in external account media.


SOHO: disable external accounts
Enterprise: disable external accounts
SSLF: disable external accounts


Additional Mechanism: N / A


OVAL Content: N / A


Comment:

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jun 3, 2013

@DewSecGitHub originally submitted this as comment:1:⁠ticket:12

  • Status changed from new to accepted
@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jun 6, 2013

dubs@… originally submitted this as comment:2:⁠ticket:12


I'm not so sure on the rational for this one. Here is my thinking.

  1. Even if external accounts are enabled they either require that all users be from the same directory service or that an administrator explicitly approve each login access.
  2. The security requirement for external accounts should be that they are encrypted to protect the data.
  3. If external accounts are to be disabled the rational should be that it prevents data from going off-site.
@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Aug 6, 2014

blank@… originally submitted this as comment:4:⁠ticket:12

  • Status changed from accepted to closed
  • Resolution set to R8 - Completed
@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Aug 4, 2016

bernicecarisa@… originally submitted this as comment:6:⁠ticket:12


If there isn’t a local home folder on the external drive, or if the external account isn’t allowed, the user must take a few additional steps before he or she can log in with the external account. If the user has a local home folder on the computer, the user can’t create a local home folder on an external drive. If the user doesn’t have a local home folder on an external drive, the location setting in mobile account creation options might give the user the choice of where to store the local home folder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment