Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257160 | APPL-13-000032 | SV-257160r905113_rule | Medium |
Description |
---|
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. |
STIG | Date |
---|---|
Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-06-20 |
Check Text ( C-60845r905111_chk ) |
---|
Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command: /usr/bin/sudo /usr/bin/fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons: /usr/bin/sudo /usr/bin/dscl . read /Users/ UserShell: /usr/bin/false If the FileVault users' shell is not set to "/usr/bin/false", this is a finding. |
Fix Text (F-60786r905112_fix) |
---|
Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands: /usr/bin/sudo /usr/bin/fdesetup add -user /usr/bin/sudo /usr/bin/dscl . change /Users/ Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user: /usr/bin/sudo /usr/bin/fdesetup remove -user |