AOSX-14-003013 - macOS must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

Information

Single user mode and the boot picker, as well as numerous other tools are available on macOS through booting while holding the 'Option' key down. Setting a firmware password restricts access to these tools.

Solution

To set a firmware passcode use the following command.

sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through the use of a machine specific binary generated and provided by Apple. Schedule a support call, and provide proof of purchase before the firmware binary will be generated.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-14_V2R6_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-209622r610285_rule, STIG-ID|AOSX-14-003013, STIG-Legacy|SV-105113, STIG-Legacy|V-95975, Vuln-ID|V-209622

Plugin: Unix

Control ID: d51b8bd48bb0f2788cb120b30b1e298ab9c031d15981d19bb6a818447069caa2