← Back to Apple macOS 12 (Monterey) Security Technical Implementation Guide

V-252526

CAT II (Medium)

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

Rule ID

SV-252526r991589_rule

STIG

Apple macOS 12 (Monterey) Security Technical Implementation Guide

Version

V1R9

CCIs

CCI-000366

Discussion

Single user mode and the boot picker, as well as numerous other tools are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

Check Content

For Apple Silicon-based systems, this is Not Applicable.

For Intel-based systems, ensure that a firmware password is set, run the following command:

$ sudo /usr/sbin/firmwarepasswd -check

If the return is not "Password Enabled: Yes", this is a finding.

Fix Text

To set a firmware passcode use the following command.

sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.