UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The macOS system must not have a guest account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-81615 AOSX-13-000554 SV-96329r1_rule High
Description
Only authorized individuals should be allowed to obtain access to operating system components. Permitting access via a guest account provides unauthenticated access to any person.
STIG Date
Apple OS X 10.13 Security Technical Implementation Guide 2019-12-20

Details

Check Text ( C-81391r1_chk )
To check if the guest user exists, run the following command:

dscl . list /Users | grep -i Guest

To verify that Guest user cannot unlock volume, run the following command:

fdesetup list

To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(DisableGuestAccount | EnableGuestAccount)’

If the result is null or not:
DisableGuestAccount = 1;
EnableGuestAccount = 0;
This is a finding.
Fix Text (F-88463r1_fix)
Remove the guest user with the following command:

sudo dscl . delete /Users/Guest

"This can also be managed with "Login Window Policy" configuration profile.