The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

An XCCDF Rule

Details
Profiles

Description

Single user mode and the boot picker, as well as numerous other tools, are available on macOS through booting while holding the "Option" key down. Setting a firmware password restricts access to these tools.

ID: SV-257232r905329_rule
Version: APPL-13-003013
Severity: Medium
References: CCI-000366
Updated: 6 days ago

Remediation Templates

Configure the macOS system with a firmware password with the following command:

/usr/bin/sudo /usr/sbin/firmwarepasswd -setpasswd

Note: If firmware password or passcode is forgotten, the only way to reset the forgotten password is through a machine-specific binary generated and provided by Apple. Users must schedule a support call and provide proof of purchase before the firmware binary will be generated.

The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.

Description

Remediation Templates

A Manual Procedure