Title

The macOS system logon window must be configured to prompt for username and password, rather than show a list of users. (Cat III impact)

Discussion

The logon window must be configured to prompt all users for both a username and a password. By default, the system displays a list of known users at the logon screen. This gives an advantage to an attacker with physical access to the system, as the attacker would only have to guess the password for one of the listed accounts.

Check Content

To check if the logon window is configured to prompt for user name and password, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep SHOWFULLNAME If there is no result, or "SHOWFULLNAME" is not set to "1", this is a finding.

Fix Text

This setting is enforced using the "Login Window Policy" configuration profile.

Additional Identifiers

Rule ID: SV-252538r877377_rule

Vulnerability ID: V-252538

Group Title: SRG-OS-000480-GPOS-00229

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.