Check: AOSX-14-003013
Apple OS X 10.14 (Mojave) STIG:
AOSX-14-003013
(in versions v2 r6 through v1 r1)
Title
macOS must be configured with a firmware password to prevent access to single user mode and booting from alternative media. (Cat II impact)
Discussion
Single user mode and the boot picker, as well as numerous other tools are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.
Check Content
To check that password hints are disabled, run the following command: # sudo /usr/sbin/firmwarepasswd -check If the return is not, "Password Enabled: Yes", this is a finding.
Fix Text
To set a firmware passcode use the following command. sudo /usr/sbin/firmwarepasswd -setpasswd Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.
Additional Identifiers
Rule ID: SV-209622r610285_rule
Vulnerability ID: V-209622
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |