Title

The macOS system must enforce FileVault. (Cat I impact)

Discussion

FileVault must be enforced. The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Satisfies: SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000405-GPOS-00184

Check Content

Verify the macOS system is configured to enforce FileVault with the following command: dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\ .objectForKey('dontAllowFDEDisable').js EOS ) fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.") if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then echo "1" else echo "0" fi If the result is not "1", this is a finding.

Fix Text

Note: Refer to the FileVault supplemental to implement this rule.

Additional Identifiers

Rule ID: SV-259561r941305_rule

Vulnerability ID: V-259561

Group Title: SRG-OS-000185-GPOS-00079

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.