Check: AOSX-15-000032
Apple OS X 10.15 (Catalina) STIG:
AOSX-15-000032
(in versions v1 r10 through v1 r1)
Title
The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup. (Cat II impact)
Discussion
When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.
Check Content
Retrieve a list of authorized FileVault users: # sudo fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the authorized FileVault users are marked as “DisabledUser”, preventing console logins: Note: This procedure will need to be run for each authorized FileVault User. # sudo dscl . read /Users/<FileVault_User> AuthenticationAuthority | grep "DisabledUser" AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2> ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser If the FileVault user is not disabled, this is a finding. Verify that password forwarding has been disabled on the system: # sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin" DisableFDEAutologin = 1; If "DisableFDEAutologin" is not set to a value of "1", this is a finding.
Fix Text
Create an authorized user account that will be used to unlock the disk on startup. Disable the login ability of the newly created user account: # sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser Disable the FileVault Auto-login feature: # sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user: # sudo fdesetup remove -user <username>
Additional Identifiers
Rule ID: SV-225222r610901_rule
Vulnerability ID: V-225222
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |