The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257160 | APPL-13-000032 | SV-257160r905113_rule | Medium |
| Description |
|---|
| When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login. |
| STIG | Date |
|---|---|
| Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-08-28 |
Details
| Check Text ( C-60845r905111_chk ) |
|---|
| Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command: /usr/bin/sudo /usr/bin/fdesetup list fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A If any unauthorized users are listed, this is a finding. Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons: /usr/bin/sudo /usr/bin/dscl . read /Users/ UserShell: /usr/bin/false If the FileVault users' shell is not set to "/usr/bin/false", this is a finding. |
| Fix Text (F-60786r905112_fix) |
|---|
| Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands: /usr/bin/sudo /usr/bin/fdesetup add -user /usr/bin/sudo /usr/bin/dscl . change /Users/ Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user: /usr/bin/sudo /usr/bin/fdesetup remove -user |