Title

An Extensible Firmware Interface (EFI) password must be used. (Cat I impact)

Discussion

When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is the software link between the motherboard hardware and the software operating system. EFI determine which partition or disk to load Mac OS X from. It also determines whether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.

Check Content

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Verify the "Require password to start this computer from another source" is selected. If not, this is a finding.

Fix Text

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Click New. Select "Require password to start this computer from another source". In the Password and Verify fields, enter a new EFI password and click OK. Close the Firmware Password Utility.

Additional Identifiers

Rule ID: SV-38510r1_rule

Vulnerability ID: V-25259

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.