Check: APPL-15-005100
Apple macOS 15 (Sequoia) STIG:
APPL-15-005100
(in versions v1 r3 through v1 r1)
Title
The macOS system must ensure Secure Boot level is set to "full". (Cat II impact)
Discussion
The Secure Boot security setting must be set to "full". Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. NOTE: This will only return a proper result on a T2 or Apple Silicon Macs. Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
Check Content
Verify the macOS system is configured to ensure Secure Boot level is set to "full" using the following command: /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to ensure Secure Boot level is set to "full" by booting into Recovery Mode and enabling Full Secure Boot.
Additional Identifiers
Rule ID: SV-268568r1034644_rule
Vulnerability ID: V-268568
Group Title: SRG-OS-000445-GPOS-00199
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002696 |
Verify correct operation of organization-defined security functions. |
| CCI-002699 |
Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
| CCI-002702 |
Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
Controls
| Number | Title |
|---|---|
| SI-6 |
Security Function Verification |