Check: APPL-14-005100
Apple macOS 14 (Sonoma) STIG:
APPL-14-005100
(in versions v1 r2 through v1 r1)
Title
The macOS system must ensure secure boot level set to full. (Cat II impact)
Discussion
The Secure Boot security setting must be set to full. Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. Note: This will only return a proper result on T2 or Apple Silicon Macs. Satisfies: SRG-OS-000445-GPOS-00199,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201
Check Content
Verify the macOS system is configured to ensure secure boot level set to full using the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to ensure secure boot level set to full by booting into Recovery Mode and enable Full Secure Boot.
Additional Identifiers
Rule ID: SV-259573r941341_rule
Vulnerability ID: V-259573
Group Title: SRG-OS-000445-GPOS-00199
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002696 |
The information system verifies correct operation of organization-defined security functions. |
| CCI-002699 |
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
| CCI-002702 |
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
Controls
| Number | Title |
|---|---|
| SI-6 |
Security Function Verification |