Title

The macOS system must disable unattended or automatic log on to the system. (Cat II impact)

Discussion

Automatic logon must be disabled. When automatic logons are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logons mitigates this risk.

Check Content

Verify the macOS system is configured to disable unattended or automatic logon to the system with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ .objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js EOS If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to disable unattended or automatic logon to the system by installing the "com.apple.loginwindow" configuration profile.

Additional Identifiers

Rule ID: SV-259513r941161_rule

Vulnerability ID: V-259513

Group Title: SRG-OS-000480-GPOS-00229

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.