Title

The macOS system must be configured to disable password forwarding for FileVault. (Cat II impact)

Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Check Content

Verify the macOS system is configured to disable password forwarding with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin" DisableFDEAutoLogin = 1; If "DisableFDEAutoLogin" is not set to a value of "1", this is a finding.

Fix Text

Configure the macOS system to disable password forwarding by installing the "Smart Card Policy" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Additional Identifiers

Rule ID: SV-257161r905116_rule

Vulnerability ID: V-257161

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.