← Back to Apple macOS 13 (Ventura) Security Technical Implementation Guide

V-257161

CAT II (Medium)

The macOS system must be configured to disable password forwarding for FileVault.

Rule ID

SV-257161r991589_rule

STIG

Apple macOS 13 (Ventura) Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-000366

Discussion

When "FileVault" and Multifactor Authentication are configured on the operating system, a dedicated user must be configured to ensure that the implemented Multifactor Authentication rules are enforced. If a dedicated user is not configured to decrypt the hard disk upon startup, the system will allow a user to bypass Multifactor Authentication rules during initial startup and first login.

Check Content

Verify the macOS system is configured to disable password forwarding with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "DisableFDEAutoLogin"

DisableFDEAutoLogin = 1;

If "DisableFDEAutoLogin" is not set to a value of "1", this is a finding.

Fix Text

Configure the macOS system to disable password forwarding by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".