Title

The macOS system must disable Erase Content and Settings. (Cat II impact)

Discussion

Erase Content and Settings must be disabled. Without disabling the Erase Content and Settings configuration, forensics data could be lost if this feature is activated on a compromised system.

Check Content

Verify the macOS system is configured to disable Erase Content and Settings with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ .objectForKey('allowEraseContentAndSettings').js EOS If the result is not "false", this is a finding.

Fix Text

Configure the macOS system to disable Erase Content and Settings by installing the "com.apple.applicationaccess" configuration profile.

Additional Identifiers

Rule ID: SV-268564r1034632_rule

Vulnerability ID: V-268564

Group Title: SRG-OS-000095-GPOS-00049

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.