The macOS system must restrict the ability of individuals to write to external optical media.

STIG ID: APPL-13-005053  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: low |  CCI: CCI-000366 |  Vulnerability Id: V-257245

Vulnerability Discussion

External writeable media devices must be disabled for users. External optical media devices can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Check

Verify the macOS system is configured to disable writing to external optical media devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "BurnSupport"

BurnSupport = off;

If "BurnSupport" is not set to "off" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure the macOS system to disable writing to external optical media devices by installing the "Restrictions Policy" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.