The Apple Storage Drivers must be removed or disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-53861	OSX8-00-00855	SV-68079r1_rule		Medium

Description
Malicious code is known to propagate via removable media such as floppy disks, USB or flash drives, and removable hard drives. In order to prevent propagation and potential infection due to malware contained on removable media the operating system must be able to restrict and/or limit the use of removable media.

STIG	Date
Apple OS X 10.8 (Mountain Lion) Workstation STIG	2015-02-10

Details

Check Text ( C-54705r1_chk )
This command checks for the presence of the Apple Storage Drivers kext file. If this command returns any value other than "No such file or directory" this is a finding. ls -ld /System/Library/Extensions/AppleStorageDrivers.kext The check to see if a configuration profile is configured to not allow external removable media, run the following command: system_profiler SPConfigurationProfileDataType \| grep -A 3 "harddisk-external" \| sed 's/ //g' \| tr "\n" " " \| awk '{ print $2 $3 }' If the result is not "eject,alert" this is a finding.

Check Text ( C-54705r1_chk )

This command checks for the presence of the Apple Storage Drivers kext file. If this command returns any value other than "No such file or directory" this is a finding.

ls -ld /System/Library/Extensions/AppleStorageDrivers.kext

The check to see if a configuration profile is configured to not allow external removable media, run the following command:

system_profiler SPConfigurationProfileDataType | grep -A 3 "harddisk-external" | sed 's/ //g' | tr "\n" " " | awk '{ print $2 $3 }'

If the result is not "eject,alert" this is a finding.

Fix Text (F-58693r1_fix)
To remove the Apple Storage Drivers, run the following command: sudo rm -Rf /System/Library/Extensions/AppleStorageDrivers.kext This should be enforced by a configuration profile.