Title

The macOS system must restrict the ability of individuals to write to external optical media. (Cat III impact)

Discussion

External writeable media devices must be disabled for users. External optical media devices can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Check Content

Verify the system is configured to disable writing to external optical media devices: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep 'BurnSupport' BurnSupport = off; If the command does not return a line, this is a finding. If 'BurnSupport' is set to a value other than 'off' and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix Text

This setting is enforced using the "Restrictions Policy" configuration profile.

Additional Identifiers

Rule ID: SV-252539r816431_rule

Vulnerability ID: V-252539

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.