The macOS system must disable unattended or automatic login to the system.

STIG ID: APPL-15-002066  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: high |  CCI: CCI-000764,CCI-000366 |  Vulnerability Id: V-268512

Vulnerability Discussion

Automatic login must be disabled.

When automatic logins are enabled, the default user account is automatically logged on at boot time without prompting the user for a password. Even if the screen is later locked, a malicious user would be able to reboot the computer and find it already logged in. Disabling automatic logins mitigates this risk.

Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000480-GPOS-00229

Check

Verify the macOS system is configured to disable unattended or automatic login to the system with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\
.objectForKey('com.apple.login.mcx.DisableAutoLoginClient').js
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to disable unattended or automatic login to the system by installing the "com.apple.loginwindow" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.