2.8.2 Ensure Power Nap Is Disabled for Intel Macs

Information

Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input.

This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks.

Rationale:

Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.

The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used.

The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.

Impact:

Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept.

Solution

Perform the following disable Power Nap:
Graphical Method:

Open System Preferences

Select Energy Saver

Uncheck Enable Power Nap

Terminal Method:
Run the following command to disable Power Nap:

$ sudo pmset -a powernap 0

Additional Information:

man pmset

See Also

https://workbench.cisecurity.org/files/4000