Information
In previous versions of macOS Apple included a capability to securely empty the trash that included overwrites of the existing data. With the wider use of FileVault and other encryption methods and the growing use of Solid State Drives the requirements have changed and the 'Secure Empty Trash' capability has been removed from the GUI. For systems that are not using encryption and continue to use platter-based hard drives there is residual risk that deleted files can still be recovered from the file system.
In previous versions of the Benchmark srm was mentioned as an alternative to the removal of 'Secure Empty Trash.' With the release of macOS 10.12 srm has been removed. There is still an option to erase free space from the command line but Apple has warned that encryption is a better solution
From manual entry for diskutil
NOTE: This kind of secure erase is no longer considered safe
because modern devices have wear-leveling, block-sparing, and
possibly-persistent cache hardware. The modern solution for
quickly and securely erasing your data is strong encryption,
with which mere destruction of the key more or less instantly
renders your data irretrievable in practical terms.
To erase free space on the boot volume
diskutil secureErase freespace 0 /
Rationale:
Securely removing files mitigates the risk of an admin user on the system recovering sensitive files that the user has deleted. It is possible for anyone with physical access to the device to get access if FileVault is not used, or to recover deleted data if the FileVault volume is already mounted. Users and admins of computers containing sensitive information should be screened appropriately or additional security controls should be in place to prevent unauthorized access to sensitive information.
Impact:
Securely deleting files can take a long time, with FileVault in place the protection is erasing data within an already encrypted volume.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.