STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

DISA Rule

SV-225222r610901_rule

Vulnerability Number

V-225222

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AOSX-15-000032

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Create an authorized user account that will be used to unlock the disk on startup.

Disable the login ability of the newly created user account:

# sudo dscl . append /Users/<FileVault_User> AuthenticationAuthority DisabledUser

Disable the FileVault Auto-login feature:

# sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutologin -bool YES

Remove all FileVault login access from each user account defined on the system that is not a designated FileVault user:

# sudo fdesetup remove -user <username>

Check Contents

Retrieve a list of authorized FileVault users:

# sudo fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the authorized FileVault users are marked as “DisabledUser”, preventing console logins:

Note: This procedure will need to be run for each authorized FileVault User.

# sudo dscl . read /Users/<FileVault_User> AuthenticationAuthority | grep "DisabledUser"

AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2> ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser

If the FileVault user is not disabled, this is a finding.

Verify that password forwarding has been disabled on the system:

# sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin"

DisableFDEAutologin = 1;

If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Vulnerability Number

V-225222

Documentable

False

Rule Version

AOSX-15-000032

Severity Override Guidance

Retrieve a list of authorized FileVault users:

# sudo fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the authorized FileVault users are marked as “DisabledUser”, preventing console logins:

Note: This procedure will need to be run for each authorized FileVault User.

# sudo dscl . read /Users/<FileVault_User> AuthenticationAuthority | grep "DisabledUser"

AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2> ;Kerberosv5;;unlock@LKDC:SHA1.20BABA05A6B1A86A8C57581A8487596640A3E37B;LKDC:SHA1.20CEBE04A5B1D92D8C58189D8487593350D3A40A; ;SecureToken; DisabledUser

If the FileVault user is not disabled, this is a finding.

Verify that password forwarding has been disabled on the system:

# sudo defaults read /Library/Preferences/com.apple.loginwindow | grep "DisableFDEAutologin"

DisableFDEAutologin = 1;

If "DisableFDEAutologin" is not set to a value of "1", this is a finding.

Check Content Reference

M

Target Key

4212

Comments