STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

DISA Rule

SV-225211r610901_rule

Vulnerability Number

V-225211

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AOSX-15-003013

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

To set a firmware passcode use the following command.

sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.

Check Contents

To ensure that a firmware password is set, run the following command:

# sudo /usr/sbin/firmwarepasswd -check

If the return is not, "Password Enabled: Yes", this is a finding

Vulnerability Number

V-225211

Documentable

False

Rule Version

AOSX-15-003013

Severity Override Guidance

To ensure that a firmware password is set, run the following command:

# sudo /usr/sbin/firmwarepasswd -check

If the return is not, "Password Enabled: Yes", this is a finding

Check Content Reference

Target Key

4212

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments