The macOS system must be configured with a dedicated user account to decrypt the hard disk upon startup.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-95597	AOSX-14-000032	SV-104735r1_rule		Medium

Description
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

STIG	Date
Apple OS X 10.14 (Mojave) Security Technical Implementation Guide	2020-05-29

Details

Check Text ( C-94425r1_chk )
Ensure that only one FileVault user is defined: # sudo fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If more than one user is defined, this is a finding. Verify that the defined FileVault user has been disabled: # sudo dscl . read /Users/ AuthenticationAuthority \| grep "DisabledUser" AuthenticationAuthority: ;ShadowHash;HASHLIST: ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser If the FileVault user is not disabled, this is a finding. Verify that password forwarding has been disabled on the system: # sudo defaults read /Library/Preferences/com.apple.loginwindow \| grep "DisableFDEAutologin" DisableFDEAutologin = 1; If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Check Text ( C-94425r1_chk )

Ensure that only one FileVault user is defined:

# sudo fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If more than one user is defined, this is a finding.

Verify that the defined FileVault user has been disabled:

# sudo dscl . read /Users/ AuthenticationAuthority | grep "DisabledUser"

AuthenticationAuthority: ;ShadowHash;HASHLIST: ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser

If the FileVault user is not disabled, this is a finding.

Verify that password forwarding has been disabled on the system:

# sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin"

DisableFDEAutologin = 1;

If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Fix Text (F-101263r1_fix)
Create a new user account that will be used to unlock the disk on startup. Disable the login ability of the newly created user account: # sudo dscl . append /Users/ AuthenticationAuthority DisabledUser Disable FileVaults Auto-login feature: # sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES Remove all FileVault login access from each user account defined on the system that is not the designated FileVault user: # sudo fdesetup remove -user

Fix Text (F-101263r1_fix)

Create a new user account that will be used to unlock the disk on startup.

Disable the login ability of the newly created user account:

# sudo dscl . append /Users/ AuthenticationAuthority DisabledUser

Disable FileVaults Auto-login feature:

# sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

Remove all FileVault login access from each user account defined on the system that is not the designated FileVault user:

# sudo fdesetup remove -user