Check: APPL-11-005020
Apple macOS 11 (Big Sur) STIG:
APPL-11-005020
(in versions v1 r8 through v1 r1)
Title
The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest. (Cat II impact)
Discussion
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. By encrypting the system hard drive, the confidentiality and integrity of any data stored on the system is ensured. FileVault Disk Encryption mitigates this risk. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
Check Content
Verify that "FileVault 2" is enabled by running the following command: /usr/bin/fdesetup status If "FileVault" is "Off" and the device is a mobile device or the organization has determined that the drive must encrypt data at rest, this is a finding.
Fix Text
Open System Preferences >> Security and Privacy and navigate to the "FileVault" tab. Use this panel to configure full-disk encryption. Alternately, from the command line, run the following command to enable "FileVault": /usr/bin/sudo /usr/bin/fdesetup enable After "FileVault" is initially set up, additional users can be added.
Additional Identifiers
Rule ID: SV-230846r855706_rule
Vulnerability ID: V-230846
Group Title: SRG-OS-000185-GPOS-00079
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
CCI-002476 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. |