V-257243

Discussion

External writeable media devices must be disabled for users. External USB devices are a potential vector for malware and can be used to exfiltrate sensitive data if an approved data-loss prevention (DLP) solution is not installed.

Check Content

Verify the macOS system is configured to disable USB storage devices with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -A 32 "mount-controls"

bd = (
"read-only"
);
blankbd = (
deny,
eject
);
blankcd = (
deny,
eject
);
blankdvd = (
deny,
eject
);
cd = (
"read-only"
);
"disk-image" = (
"read-only"
);
dvd = (
"read-only"
);
dvdram = (
deny,
eject
);
"harddisk-external" = (
deny,
eject
);

If the result does not match the output above and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.