usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
5acbdbd21e8397cdb0a6fb80e7b1dc5c3397b7c0
macos_security/rules/os/os_hibernate_mode_apple_silicon_enable.yaml
Dan Brodjieski 5acbdbd21e chore: clean up extraneous trailing whitespace
2023-09-14 14:21:06 -04:00

66 lines
2.0 KiB
YAML
Raw Blame History

id: os_hibernate_mode_apple_silicon_enable
title: "Enable Hibernate Mode (Apple Silicon)"
discussion: |
Hibernate mode _MUST_ be enabled.
This will store a copy of memory to persistent storage, and will remove power to memory. This setting will stop the potential for a cold-boot attack.
Apple Silicon MacBooks should set sleep timeout to 10 minutes (600 seconds) or less and the display sleep timeout should be 15 minutes (900 seconds) or less but greater than the sleep setting.
This setting ensures that MacBooks will not hibernate and require FileVault authentication wheneve the display goes to sleep for a short period of time.
NOTE: Hibernate mode will disable instant wake on Apple Silicon laptops.
check: |
error_count=0
if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then
((error_count++))
fi
if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then
((error_count++))
fi
if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then
((error_count++))
fi
fi
echo "$error_count"
result:
integer: 0
fix: |
[source,bash]
----
/usr/bin/pmset -a sleep 10
/usr/bin/pmset -a displaysleep 15
/usr/bin/pmset -a hibernatemode 25
----
references:
cce:
- CCE-92800-2
cci:
- N/A
800-53r5:
- N/A
800-53r4:
- N/A
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- N/A
cis:
benchmark:
- 2.9.1.2 (level 2)
controls v8:
- 4.1
macOS:
- "14.0"
tags:
- cis_lvl2
- cisv8
- arm64
mobileconfig: false
mobileconfig_info:
Reference in New Issue View Git Blame Copy Permalink