2.12 Securely delete files as needed

Information

In previous versions of macOS Apple included a capability to securely empty the trash that included overwrites of the existing data. With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives the requirements have changed and the 'Secure Empty Trash' capability has been removed from the GUI. For systems that are not using encryption and continue to use platter-based hard drives there is residual risk that deleted files can still be recovered from the file system.

In previous versions of the Benchmark srm was mentioned as an alternative to the removal of 'Secure Empty Trash.' With the release of macOS 10.12 srm has been removed. There is still an option to erase free space from the command line but Apple has warned that encryption is a better solution

From manual entry for diskutil

NOTE: This kind of secure erase is no longer considered safe

because modern devices have wear-leveling, block-sparing, and

possibly-persistent cache hardware. The modern solution for

quickly and securely erasing your data is strong encryption,

with which mere destruction of the key more or less instantly

renders your data irretrievable in practical terms.

To erase free space on the boot volume

diskutil secureErase freespace 0 /

Rationale:

Securely removing files mitigates the risk of an admin user on the system recovering sensitive files that the user has deleted. It is possible for anyone with physical access to the device to get access if FileVault is not used, or to recover deleted data if the FileVault volume is already mounted. Users and admins of computers containing sensitive information should be screened appropriately or additional security controls should be in place to prevent unauthorized access to sensitive information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/2112

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6

Plugin: Unix

Control ID: d0c6e86686438c9b8fe337f149e2fdfc8b0f89940e1a189c37f262a3c7333bb1