From 167e943202793e7ca746cfc8a9d998612f72bbb3 Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Tue, 13 Jul 2021 12:36:45 -0400
Subject: [PATCH] wording changes, reference update, manual tag added

---
 rules/os/os_filevault_authorized_users.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/rules/os/os_filevault_authorized_users.yaml b/rules/os/os_filevault_authorized_users.yaml
index a016f0e5..3e306106 100644
--- a/rules/os/os_filevault_authorized_users.yaml
+++ b/rules/os/os_filevault_authorized_users.yaml
@@ -5,16 +5,21 @@ discussion: |
 check: |
   /usr/bin/fdesetup list | /usr/bin/awk -F',' '{print $1}'
 result: 
-  string: "a list containing usernames that can unlock FileVault"
+  string: "a list containing authorized users that can unlock FileVault"
 fix: |
-  Remove the secure token from any account that is not authorized to unlock FileVault.
+  Remove the user that is not authorized to unlock FileVault using the fdesetup command.
+
+  [source,bash]
+  ----
+  /usr/bin/fdesetup remove -user NOT_AUTHORIZED_USERNAME
+  ----
 references:
   cce:
     - CCE-85311-9
   cci:
     - CCI-002143
   800-53r5:
-    - AU-2(11)
+    - AC-2(11)
   800-53r4:
     - N/A
   srg:
@@ -26,6 +31,7 @@ macOS:
 tags:
   - 800-53r5_high
   - stig
+  - manual
 severity: "medium"
 mobileconfig: false
 mobileconfig_info:
\ No newline at end of file