Title

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media. (Cat II impact)

Discussion

Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

Check Content

For Apple Silicon-based systems, this is not applicable. Verify the macOS system is configured with a firmware password with the following command: /usr/bin/sudo /usr/sbin/firmwarepasswd -check Password Enabled:Yes If "Password Enabled" is not set to "Yes", this is a finding.

Fix Text

Configure the macOS system with a firmware password with the following command: /usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

Additional Identifiers

Rule ID: SV-257232r905329_rule

Vulnerability ID: V-257232

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.