UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.


Overview

Finding ID Version Rule ID IA Controls Severity
V-230762 APPL-11-000032 SV-230762r855675_rule Medium
Description
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
STIG Date
Apple macOS 11 (Big Sur) Security Technical Implementation Guide 2022-11-18

Details

Check Text ( C-33707r802376_chk )
Retrieve a list of authorized FileVault users:
$ sudo fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the shell for authorized FileVault users is set to “/usr/bin/false”, which prevents console logins:
$ sudo dscl . read /Users/ UserShell

UserShell: /usr/bin/false

If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.
Fix Text (F-33680r802377_fix)
Note: In previous versions of macOS, this setting was implemented differently. Systems that used the previous method should prepare the system for the new method by creating a new unlock user, verifying its ability to unlock FileVault after reboot, then deleting the old FileVault unlock user.

Disable the login ability of the newly created user account:
$ sudo /usr/bin/dscl . change /Users/ UserShell /usr/bin/false

Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user:
$ sudo fdesetup remove -user