Check: AOSX-09-000785
Apple OS X 10.9 Workstation STIG:
AOSX-09-000785
(in version v1 r2)
Title
The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on organization-defined information system components. (Cat II impact)
Discussion
FileVault Disk Encryption must be enabled. This ensures that any data stored on the hard drive will be protected by cryptographic means when the system is powered off, mitigating the risk of unauthorized modification of that data. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
Check Content
To check if FileVault 2 is enabled, run the following command: sudo fdesetup status If FileVault is 'Off', and the device is a laptop, this is a finding.
Fix Text
Open System Preferences->Security & Privacy, and navigate to the FileVault tab. Use this panel to configure full-disk encryption. Alternately, from the command line, run the following command to enable FileVault: sudo fdesetup enable After FileVault is initially set up, additional users can be added.
Additional Identifiers
Rule ID: SV-72825r1_rule
Vulnerability ID: V-58395
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002475 |
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. |
Controls
Number | Title |
---|---|
SC-28 (1) |
Cryptographic Protection |