2.8.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon)

Information

In order to use a computer with Full Disk Encryption (FDE), macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it were not encrypted. When the system is not in use, the volume is protected through encryption. When the system is sleeping and available to quickly resume, the encryption keys remain in memory.

If an unauthorized party has possession of the computer and the computer is only slept, there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system protected by a login screen. Network attacks if network interfaces are on, as well as USB or other open device ports, are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.

There is little impact on hibernating the system rather than sleeping after an appropriate time period to remediate the risk of OS level attacks. Hibernation writes the keys to disk and requires FileVault to be unlocked prior to the OS being available. In the case of unauthorized personnel with access to the computer, encryption would have to be broken prior to attacking the operating system in order to recover data from the system.

https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/

Mac systems should be set to hibernate after sleeping for a risk-acceptable time period.

MacBooks should be set so that the sleep is 15 minutes (900 seconds) or less. This setting should allow laptop users in most cases to stay within physically secured areas while going to a conference room, auditorium, or other internal location without having to unlock the encryption. When the user goes home at night, the laptop will auto-hibernate after 15 minutes and require the FileVault password to unlock prior to logging back into the system when it resumes.

MacBooks should also be set to a hibernate mode that removes power from the RAM. This will stop the possibility of cold boot attacks on the system.

Macs running Apple silicon chips, rather than Intel chips, do not require the same configuration as Intel-based Macs.

Rationale:

To mitigate the risk of data loss, the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.

Impact:

The laptop will take additional time to resume normal operation if only sleeping rather than hibernating. Touch ID will not be available when waking from hibernate.

Setting hibernatemode to 25 will disable the 'always-on' feature of the Apple Silicon Macs.

Solution

Terminal Method:
Run the following command to set the sleep time and hibernate mode:

$ /usr/bin/sudo /usr/bin/pmset -a sleep <value<=10>
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep <value<=15 & >value of sleep>
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

Note: Setting hibernate mode will require the user to log into the machine after sleep and disable any wake options. hibernatemode must be set to 25 or it will not force the computer into a pre-boot state.
example:

$ /usr/bin/sudo /usr/bin/pmset -a sleep 10
$ /usr/bin/sudo /usr/bin/pmset -a displaysleep 15
$ /usr/bin/sudo /usr/bin/pmset -a hibernatemode 25

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11

Plugin: Unix

Control ID: b0eb400f926565cc88fc7247ce7e14a8bb3ae6fa549919c7305daa0145a3ca10