The macOS system must enforce FileVault.

STIG ID: APPL-14-005020  |  SRG: SRG-OS-000185-GPOS-00079 |  Severity: high |  CCI: CCI-001199,CCI-002475,CCI-002476 |  Vulnerability Id: V-259561 | 

Vulnerability Discussion

FileVault must be enforced.

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

Satisfies: SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000405-GPOS-00184

Check

Verify the macOS system is configured to enforce FileVault with the following command:

dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('dontAllowFDEDisable').js
EOS
)
fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.")
if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then
echo "1"
else
echo "0"
fi

If the result is not "1", this is a finding.

Fix

Note: Refer to the FileVault supplemental to implement this rule.