mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 14:03:24 +00:00
77 lines
1.5 KiB
YAML
77 lines
1.5 KiB
YAML
id: os_authenticated_root_enable
|
|
title: "Enable Authenticated Root"
|
|
discussion: |
|
|
Authenticated Root _MUST_ be enabled.
|
|
|
|
When Authenticated Root is enabled the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume.
|
|
|
|
NOTE: Authenticated Root is enabled by default on macOS systems.
|
|
|
|
WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.
|
|
check: |
|
|
/usr/bin/csrutil authenticated-root | /usr/bin/grep -c 'enabled'
|
|
result:
|
|
integer: 1
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/bin/csrutil authenticated-root enable
|
|
----
|
|
NOTE: To re-enable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.
|
|
references:
|
|
cce:
|
|
- CCE-92764-0
|
|
cci:
|
|
- N/A
|
|
800-53r5:
|
|
- AC-3
|
|
- CM-5
|
|
- SC-34
|
|
- SI-7(6)
|
|
- SI-7
|
|
- MA-4(1)
|
|
800-53r4:
|
|
- AC-3
|
|
- CM-5
|
|
- SC-34
|
|
- SI-7
|
|
- SI-7(6)
|
|
srg:
|
|
- N/A
|
|
disa_stig:
|
|
- N/A
|
|
800-171r2:
|
|
- 3.1.1
|
|
- 3.1.2
|
|
- 3.4.5
|
|
cis:
|
|
benchmark:
|
|
- 5.1.4 (level 1)
|
|
controls v8:
|
|
- 3.6
|
|
- 3.11
|
|
cmmc:
|
|
- AC.L1-3.1.1
|
|
- CM.L2-3.4.5
|
|
- SC.L2-3.13.11
|
|
macOS:
|
|
- "14.0"
|
|
tags:
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-53r4_low
|
|
- 800-53r4_moderate
|
|
- 800-53r4_high
|
|
- 800-171
|
|
- cis_lvl1
|
|
- cis_lvl2
|
|
- cisv8
|
|
- cnssi-1253_moderate
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- cmmc_lvl1
|
|
mobileconfig: false
|
|
mobileconfig_info:
|