Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-252454 | APPL-12-000032 | SV-252454r853262_rule | Medium |
Description |
---|
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. |
STIG | Date |
---|---|
Apple macOS 12 (Monterey) Security Technical Implementation Guide | 2023-08-28 |
Check Text ( C-55910r816174_chk ) |
---|
For Apple Silicon-based systems, this is Not Applicable. For Intel-based Macs, retrieve a list of authorized FileVault users: $ sudo fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the shell for authorized FileVault users is set to “/usr/bin/false”, which prevents console logins: $ sudo dscl . read /Users/ UserShell: /usr/bin/false If the FileVault users' shell is not set to "/usr/bin/false", this is a finding. |
Fix Text (F-55860r853261_fix) |
---|
Note: In previous versions of macOS, this setting was implemented differently. Systems that used the previous method should prepare the system for the new method by creating a new unlock user, verifying its ability to unlock FileVault after reboot, then deleting the old FileVault unlock user. Disable the login ability of the newly created user account: $ sudo /usr/bin/dscl . change /Users/ Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user: $ sudo fdesetup remove -user |