Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-225222 | AOSX-15-000032 | SV-225222r610901_rule | Medium |
Description |
---|
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. |
STIG | Date |
---|---|
Apple OS X 10.15 (Catalina) Security Technical Implementation Guide | 2021-03-29 |
Check Text ( C-26921r485631_chk ) |
---|
Retrieve a list of authorized FileVault users: # sudo fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the authorized FileVault users are marked as “DisabledUser”, preventing console logins: Note: This procedure will need to be run for each authorized FileVault User. # sudo dscl . read /Users/ AuthenticationAuthority: ;ShadowHash;HASHLIST: If the FileVault user is not disabled, this is a finding. Verify that password forwarding has been disabled on the system: # sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin" DisableFDEAutologin = 1; If "DisableFDEAutologin" is not set to a value of "1", this is a finding. |
Fix Text (F-26909r485632_fix) |
---|
Create an authorized user account that will be used to unlock the disk on startup. Disable the login ability of the newly created user account: # sudo dscl . append /Users/ Disable the FileVault Auto-login feature: # sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user: # sudo fdesetup remove -user |