Navigate

Check: APPL-12-000033

Apple macOS 12 (Monterey) STIG: APPL-12-000033 (in versions v1 r8 through v1 r1)

Title

The macOS system must be configured to disable password forwarding for FileVault2. (Cat II impact)

Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Check Content

Verify that password forwarding has been disabled on the system: # /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin" DisableFDEAutologin = 1; If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Fix Text

This setting is enforced using the "Smart Card" configuration profile.

Additional Identifiers

Rule ID: SV-252455r853263_rule

Vulnerability ID: V-252455

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002143	The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-2 (11)	Usage Conditions