The macOS system must restrict the ability of individuals to use USB storage devices.

STIG ID: APPL-13-005051  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257243

Vulnerability Discussion

External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Check

Verify the macOS system is configured to disable USB storage devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls"

bd = (
"read-only"
);
blankbd = (
deny,
eject
);
blankcd = (
deny,
eject
);
blankdvd = (
deny,
eject
);
cd = (
"read-only"
);
"disk-image" = (
"read-only"
);
dvd = (
"read-only"
);
dvdram = (
deny,
eject
);
"harddisk-external" = (
deny,
eject
);

If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure the macOS system to disable USB storage devices by installing the "Restrictions Policy" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.