The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

STIG ID: APPL-13-003013  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257232

Vulnerability Discussion

Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

Check

For Apple Silicon-based systems, this is not applicable.

Verify the macOS system is configured with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -check

Password Enabled:Yes

If "Password Enabled" is not set to "Yes", this is a finding.

Fix

Configure the macOS system with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.