Check: APPL-11-000008
Apple macOS 11 (Big Sur) STIG:
APPL-11-000008
(in versions v1 r8 through v1 r1)
Title
The macOS system must be configured with Wi-Fi support software disabled. (Cat II impact)
Discussion
Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted, it is necessary to use encryption to protect the confidentiality of information in transit. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000379-GPOS-00164
Check Content
If the system requires Wi-Fi to connect to an authorized network, this is not applicable. To check if the Wi-Fi network device is disabled, run the following command: /usr/bin/sudo /usr/sbin/networksetup -listallnetworkservices A disabled device will have an asterisk in front of its name. If the Wi-Fi device is missing this asterisk, this is a finding.
Fix Text
To disable the Wi-Fi network device, run the following command: /usr/bin/sudo /usr/sbin/networksetup -setnetworkserviceenabled "Wi-Fi" off
Additional Identifiers
Rule ID: SV-230750r855671_rule
Vulnerability ID: V-230750
Group Title: SRG-OS-000299-GPOS-00117
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001443 |
The information system protects wireless access to the system using authentication of users and/or devices. |
| CCI-001444 |
The information system protects wireless access to the system using encryption. |
| CCI-001967 |
The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |