Check: APPL-11-000033
Apple macOS 11 (Big Sur) STIG:
APPL-11-000033
(in versions v1 r8 through v1 r1)
Title
The macOS system must be configured to disable password forwarding for FileVault2. (Cat II impact)
Discussion
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
Check Content
Verify that password forwarding has been disabled on the system: # /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin" DisableFDEAutologin = 1; If "DisableFDEAutologin" is not set to a value of "1", this is a finding.
Fix Text
This setting is enforced using the "Login Window Policy" configuration profile.
Additional Identifiers
Rule ID: SV-230763r855676_rule
Vulnerability ID: V-230763
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002143 |
The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts. |
Controls
Number | Title |
---|---|
AC-2 (11) |
Usage Conditions |