Rule ID
SV-259543r991589_rule
Version
V2R3
CCIs
A firmware password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding the "Option" key down during startup. Setting a firmware password restricts access to these tools. To set a firmware passcode use the following command: [source,bash] ---- /usr/sbin/firmwarepasswd -setpasswd ---- Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call and provide proof of purchase before the firmware binary will be generated. Note: Firmware passwords are not supported on Apple Silicon devices. This rule is only applicable to Intel devices.
For Apple Silicon systems, this is not applicable. Verify the macOS system is configured with a firmware password with the following command: /usr/sbin/firmwarepasswd -check | /usr/bin/grep -c "Password Enabled: Yes" If the result is not "1", this is a finding.
Configure the macOS system with a firmware password with the following command: /usr/sbin/firmwarepasswd -setpasswd Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.