From ee0494b4e0f4e485f171be8903fcea5b4f9bff2e Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 30 Jun 2021 09:37:33 -0400 Subject: [PATCH] added a note about T2/Apple Silicon --- rules/os/os_secure_boot_verify.yaml | 2 +- rules/os/os_secure_enclave.yaml | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/os/os_secure_boot_verify.yaml b/rules/os/os_secure_boot_verify.yaml index d91462b7..a89e1024 100644 --- a/rules/os/os_secure_boot_verify.yaml +++ b/rules/os/os_secure_boot_verify.yaml @@ -5,7 +5,7 @@ discussion: | Full security is the default Secure Boot setting in macOS. During startup, when Secure Boot is set to full security, the Mac will verify the integrity of the operating system before allowing the operating system to boot. - Note: This will only return a proper result on a T2 Mac + Note: This will only return a proper result on a T2 or Apple Silicon Macs. check: | /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "SecureBootLevel = full" result: diff --git a/rules/os/os_secure_enclave.yaml b/rules/os/os_secure_enclave.yaml index 71beb3b4..47d30612 100644 --- a/rules/os/os_secure_enclave.yaml +++ b/rules/os/os_secure_enclave.yaml @@ -6,10 +6,14 @@ discussion: | Macs with Apple Silicon or T2 processors provide protected storage for cryptographic keys via the secure enclave. link:https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1[] + + Note: This will only return a proper result on a T2 or Apple Silicon Macs. check: | - The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement. + /usr/sbin/ioreg -w 0 -c AppleSEPManager | /usr/bin/grep -q 'AppleSEPManager'; /bin/echo $? +result: + integer: 0 fix: | - The technology inherently meets this requirement. No fix is required. + The hardware does not support the requirement. references: cce: - N/A