Title

The macOS system must restrict the ability of individuals to use USB storage devices. (Cat II impact)

Discussion

External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Check Content

Verify the macOS system is configured to disable USB storage devices with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls" bd = ( "read-only" ); blankbd = ( deny, eject ); blankcd = ( deny, eject ); blankdvd = ( deny, eject ); cd = ( "read-only" ); "disk-image" = ( "read-only" ); dvd = ( "read-only" ); dvdram = ( deny, eject ); "harddisk-external" = ( deny, eject ); If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix Text

Configure the macOS system to disable USB storage devices by installing the "Restrictions Policy" configuration profile.

Additional Identifiers

Rule ID: SV-257243r905362_rule

Vulnerability ID: V-257243

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.