An error occurred:

Check: APPL-12-005051

Apple macOS 12 (Monterey) STIG: APPL-12-005051 (in versions v1 r8 through v1 r5)

Title

The macOS system must restrict the ability to utilize external writeable media devices. (Cat II impact)

Discussion

External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000319-GPOS-00164

Check Content

Verify the system is configured to disable external writeable media devices: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/egrep -A 3 'blankbd|blankcd|blankdvd|dvdram|harddisk-external' “blankbd" = ( deny, eject ); “blankcd" = ( deny, eject ); “blankdvd" = ( deny, eject ); “dvdram" = ( deny, eject ); “harddisk-external" = ( deny, eject ); If the result does not match the output above and the external writeable media devices have not been approved by the Authorizing Official, this is a finding.

Fix Text

This setting is enforced using the "Restrictions Policy" configuration profile.

Additional Identifiers

Rule ID: SV-252537r877369_rule

Vulnerability ID: V-252537

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.
CCI-001967

The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings
IA-3 (1)

Cryptographic Bidirectional Authentication