Check: AOSX-15-005051
Apple OS X 10.15 (Catalina) STIG:
AOSX-15-005051
(in versions v1 r10 through v1 r9)
Title
The macOS system must restrict the ability to utilize external writable media devices. (Cat II impact)
Discussion
External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data.
Check Content
Verify the system is configured to disable external writable media devices: $ /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/egrep -A 3 'blankbd|blankcd|blankdvd|dvdram|harddisk-external' “blankbd" = ( deny, eject ); “blankcd" = ( deny, eject ); “blankdvd" = ( deny, eject ); “dvdram" = ( deny, eject ); “harddisk-external" = ( deny, eject ); If the result does not match the output above and the external writeable media devices have not been approved by the Authorizing Official, this is a finding.
Fix Text
This setting is enforced using the "Restrictions Policy" configuration profile.
Additional Identifiers
Rule ID: SV-250321r832919_rule
Vulnerability ID: V-250321
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |