The macOS system must not have a guest account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-214868	AOSX-13-000554	SV-214868r609363_rule		High

Description
Only authorized individuals should be allowed to obtain access to operating system components. Permitting access via a guest account provides unauthenticated access to any person.

STIG	Date
Apple OS X 10.13 Security Technical Implementation Guide	2021-11-19

Details

Check Text ( C-16068r397176_chk )
To check if the guest user exists, run the following command: dscl . list /Users \| grep -i Guest To verify that Guest user cannot unlock volume, run the following command: fdesetup list To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType \| /usr/bin/grep -E '(DisableGuestAccount \| EnableGuestAccount)’ If the result is null or not: DisableGuestAccount = 1; EnableGuestAccount = 0; This is a finding.

Check Text ( C-16068r397176_chk )

To check if the guest user exists, run the following command:

dscl . list /Users | grep -i Guest

To verify that Guest user cannot unlock volume, run the following command:

fdesetup list

To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command:
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(DisableGuestAccount | EnableGuestAccount)’

If the result is null or not:
DisableGuestAccount = 1;
EnableGuestAccount = 0;
This is a finding.

Fix Text (F-16066r397177_fix)
Remove the guest user with the following command: sudo dscl . delete /Users/Guest "This can also be managed with "Login Window Policy" configuration profile.