The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.

STIG ID: APPL-13-000032  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257160

Vulnerability Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Check

Verify the macOS system is configured with dedicated user accounts to decrypt the hard disk upon startup with the following command:

/usr/bin/sudo /usr/bin/fdesetup list

fvuser,85F41F44-22B3-6CB7-85A1-BCC2EA2B887A

If any unauthorized users are listed, this is a finding.

Verify that the shell for authorized FileVault users is set to "/usr/bin/false" to prevent console logons:

/usr/bin/sudo /usr/bin/dscl . read /Users/<FileVault_User> UserShell

UserShell: /usr/bin/false

If the FileVault users' shell is not set to "/usr/bin/false", this is a finding.

Fix

Configure the macOS system with a dedicated user account to decrypt the hard disk at startup and disable the logon ability of the newly created user account with the following commands:

/usr/bin/sudo /usr/bin/fdesetup add -user <username>

/usr/bin/sudo /usr/bin/dscl . change /Users/<FileVault_User> UserShell </path/to/current/shell> /usr/bin/false

Remove all FileVault logon access from each user account defined on the system that is not a designated FileVault user:

/usr/bin/sudo /usr/bin/fdesetup remove -user <username>
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.