Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-230762 | APPL-11-000032 | SV-230762r599842_rule | Medium |
| Description |
|---|
| When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. |
| STIG | Date |
|---|---|
| Apple macOS 11 (Big Sur) Security Technical Implementation Guide | 2021-06-16 |
Details
| Check Text ( C-33707r607173_chk ) |
|---|
| Retrieve a list of authorized FileVault users: # sudo fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the authorized FileVault users are marked as “DisabledUser”, preventing console logins: Note: This procedure will need to be run for each authorized FileVault User. # sudo dscl . read /Users/ AuthenticationAuthority: ;ShadowHash;HASHLIST: If the FileVault user is not disabled, this is a finding. |
| Fix Text (F-33680r607557_fix) |
|---|
| Create an authorized user account that will be used to unlock the disk on startup. Disable the login ability of the newly created user account: # sudo dscl . append /Users/ Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user: # sudo fdesetup remove -user |