The macOS system must enforce FileVault.

STIG ID: APPL-14-005020  |  SRG: SRG-OS-000185-GPOS-00079 | Severity: high |  CCI: CCI-001199,CCI-002475,CCI-002476

Vulnerability Discussion

FileVault must be enforced.

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

Satisfies: SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183,SRG-OS-000405-GPOS-00184

Check

Verify the macOS system is configured to enforce FileVault with the following command:

dontAllowDisable=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCX')\
.objectForKey('dontAllowFDEDisable').js
EOS
)
fileVault=$(/usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On.")
if [[ "$dontAllowDisable" == "true" ]] && [[ "$fileVault" == 1 ]]; then
echo "1"
else
echo "0"
fi

If the result is not "1", this is a finding.

Fix

Note: Refer to the FileVault supplemental to implement this rule.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.