os_hibernate_mode_enable: remediation is not effective #231

New Issue

michael · 2026-01-19T18:29:44Z

michael commented

2026-01-19 18:29:44 +00:00

Originally created by @marcindulak on GitHub.

Summary

os_hibernate_mode_enable: remediation is not effective

Steps to reproduce

On a fresh system, execute the compliance script generated from baseline (e.g. https://github.com/usnistgov/macos_security/blob/main/baselines/cis_lvl2.yaml) which includes this rule,
and apply remediation with "3. Run Commands to remediate non-compliant settings". Run the "2. Run New Compliance Scan" again.

Operating System version

sw_vers
# Output:
# ProductName:      macOS
# ProductVersion:   12.5.1
# BuildVersion:     21G83

What is the current bug behavior?

os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0})

The following commands appear not effective

06cc0d2614/rules/os/os_hibernate_mode_enable.yaml (L28-L34)

After their execution the following is reported by pmset:

/usr/bin/pmset -g
# Output:
# System-wide power settings:
# DestroyFVKeyOnStandby       1
# Currently in use:
# standby              1
# Sleep On Power Button 1
# hibernatefile        /var/vm/sleepimage
# powernap             1
# disksleep            10
# sleep                1 (sleep prevented by powerd)
# hibernatemode        3
# ttyskeepawake        1
# displaysleep         2
# tcpkeepalive         1
# lowpowermode         0

See https://apple.stackexchange.com/questions/434372/cant-find-standbydelayhigh-and-standbydelaylow-on-macbook-pro-2021 for discussion.

The following line appears unused in the check

06cc0d2614/rules/os/os_hibernate_mode_enable.yaml (L12)

I'm not sure if it should be removed, or covered by a check.
See for example discussion at https://www.techrepublic.com/article/how-to-ensure-the-integrity-of-your-encrypted-drive-while-its-hibernating-in-macos/

What is the expected correct behavior?

os_hibernate_mode_enable passed (Result: 0, Expected: {integer: 0})

or another "passed" check output as needed.

Relevant logs and/or screenshots

Output of checks

# os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0})

Possible fixes

Unknown

Originally created by @marcindulak on GitHub.  ### Summary os_hibernate_mode_enable: remediation is not effective ### Steps to reproduce On a fresh system, execute the compliance script generated from baseline (e.g. https://github.com/usnistgov/macos_security/blob/main/baselines/cis_lvl2.yaml) which includes this rule, and apply remediation with "3. Run Commands to remediate non-compliant settings". Run the "2. Run New Compliance Scan" again. ### Operating System version ``` sw_vers # Output: # ProductName: macOS # ProductVersion: 12.5.1 # BuildVersion: 21G83 ``` ### What is the current *bug* behavior? ``` os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0}) ``` 1. The following commands appear not effective https://github.com/usnistgov/macos_security/blob/06cc0d2614da5b6f478b6f1ff45b059bb7c6aa5a/rules/os/os_hibernate_mode_enable.yaml#L28-L34 After their execution the following is reported by pmset: ``` /usr/bin/pmset -g # Output: # System-wide power settings: # DestroyFVKeyOnStandby 1 # Currently in use: # standby 1 # Sleep On Power Button 1 # hibernatefile /var/vm/sleepimage # powernap 1 # disksleep 10 # sleep 1 (sleep prevented by powerd) # hibernatemode 3 # ttyskeepawake 1 # displaysleep 2 # tcpkeepalive 1 # lowpowermode 0 ``` See https://apple.stackexchange.com/questions/434372/cant-find-standbydelayhigh-and-standbydelaylow-on-macbook-pro-2021 for discussion. 2. The following line appears unused in the check https://github.com/usnistgov/macos_security/blob/06cc0d2614da5b6f478b6f1ff45b059bb7c6aa5a/rules/os/os_hibernate_mode_enable.yaml#L12 I'm not sure if it should be removed, or covered by a check. See for example discussion at https://www.techrepublic.com/article/how-to-ensure-the-integrity-of-your-encrypted-drive-while-its-hibernating-in-macos/ ### What is the expected *correct* behavior? ``` os_hibernate_mode_enable passed (Result: 0, Expected: {integer: 0}) ``` or another "passed" check output as needed. ### Relevant logs and/or screenshots ### Output of checks ``` # os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0}) ``` ### Possible fixes Unknown

michael closed this issue

2026-01-19 18:29:44 +00:00

michael commented

2026-01-19 18:29:45 +00:00

@robertgendler commented on GitHub:

Good idea with the issue template update. We made that a long long time ago. So I think we should update that.

@robertgendler commented on GitHub: Good idea with the issue template update. We made that a long long time ago. So I think we should update that.

michael commented

2026-01-19 18:29:45 +00:00

@robertgendler commented on GitHub:

Issue template updated!

@robertgendler commented on GitHub: Issue template updated!

michael commented

2026-01-19 18:29:45 +00:00

@marcindulak commented on GitHub:

Thanks, it's Apple Silicon M1.
It was not clear to me how braches are used, but got an answer in https://github.com/usnistgov/macos_security/issues/132#issuecomment-1230282160.
Following this I have some suggestions:

first time users may find helpful if there is a pinned issue that describes the branching strategy and approxiate timelines or the releases,
the issue template section "Operating System version" could suggest a command line sw_vers && system_profiler SPHardwareDataType | grep "Chip:". I'm not sure how portable is this.

@marcindulak commented on GitHub: Thanks, it's Apple Silicon M1. It was not clear to me how braches are used, but got an answer in https://github.com/usnistgov/macos_security/issues/132#issuecomment-1230282160. Following this I have some suggestions: 1) first time users may find helpful if there is a pinned issue that describes the branching strategy and approxiate timelines or the releases, 2) the issue template section "Operating System version" could suggest a command line `sw_vers && system_profiler SPHardwareDataType | grep "Chip:"`. I'm not sure how portable is this.

michael commented

2026-01-19 18:29:45 +00:00

@robertgendler commented on GitHub:

Is this an Apple Silicon Mac or Intel?

I believe what you're running into is fixed on the OS branches
https://github.com/usnistgov/macos_security/blob/monterey/rules/os/os_hibernate_mode_enable.yaml

Check out the OS branches for the most up to date.

@robertgendler commented on GitHub: Is this an Apple Silicon Mac or Intel? I believe what you're running into is fixed on the OS branches https://github.com/usnistgov/macos_security/blob/monterey/rules/os/os_hibernate_mode_enable.yaml Check out the OS branches for the most up to date.

michael commented

2026-01-19 18:29:45 +00:00

@ecbyrd commented on GitHub:

As @robertgendler mentioned, we are recommending those settings for Intel machines only. For Apple Silicon we have these settings:

$ sudo pmset -a standby <value≤900>
$ sudo pmset -a destroyfvkeyonstandby 1
$ sudo pmset -a hibernatemode 25

Also, hibernatemode 25 is not included, which is what sets the proper hibernate mode we require.

@ecbyrd commented on GitHub: As @robertgendler mentioned, we are recommending those settings for Intel machines only. For Apple Silicon we have these settings: `$ sudo pmset -a standby <value≤900>` `$ sudo pmset -a destroyfvkeyonstandby 1` `$ sudo pmset -a hibernatemode 25` Also, hibernatemode 25 is not included, which is what sets the proper hibernate mode we require.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#231