The macOS system must ensure Secure Boot level is set to "full".

STIG ID: APPL-15-005100  |  SRG: SRG-OS-000445-GPOS-00199 |  Severity: medium |  CCI: CCI-002696,CCI-002699,CCI-002702 |  Vulnerability Id: V-268568

Vulnerability Discussion

The Secure Boot security setting must be set to "full".

Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot.

NOTE: This will only return a proper result on a T2 or Apple Silicon Macs.

Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201

Check

Verify the macOS system is configured to ensure Secure Boot level is set to "full" using the following command:

/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to ensure Secure Boot level is set to "full" by booting into Recovery Mode and enabling Full Secure Boot.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.