An Extensible Firmware Interface (EFI) password must be used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25259	OSX00095 M6	SV-38510r1_rule	ECSC-1	High

Description
When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is the software link between the motherboard hardware and the software operating system. EFI determine which partition or disk to load Mac OS X from. It also determines whether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.

Description

When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is the software link between the motherboard hardware and the software operating system. EFI determine which partition or disk to load Mac OS X from. It also determines whether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.

STIG	Date
MAC OSX 10.6 Workstation Security Technical Implementation Guide	2013-04-09

Details

Check Text ( C-37728r1_chk )
Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Verify the "Require password to start this computer from another source" is selected. If not, this is a finding.

Fix Text (F-32972r1_fix)
Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Click New. Select "Require password to start this computer from another source". In the Password and Verify fields, enter a new EFI password and click OK. Close the Firmware Password Utility.