Title

The macOS system must enable firmware password. (Cat II impact)

Discussion

A firmware password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode, use the following command: [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- NOTE: If the firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated. NOTE: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.

Check Content

For Apple Silicon systems, this is not applicable. Verify the macOS system is configured with a firmware password with the following command: /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" If the result is not "1", this is a finding.

Fix Text

Configure the macOS system with a firmware password with the following command: /usr/sbin/firmwarepasswd -setpasswd NOTE: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

Additional Identifiers

Rule ID: SV-268540r1034560_rule

Vulnerability ID: V-268540

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.