This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must authorize USB devices before allowing connection.

STIG ID: APPL-15-005090  |  SRG: SRG-OS-000378-GPOS-00163 |  Severity: medium (CAT II)  |  CCI: CCI-001958,CCI-003959 |  Vulnerability Id: V-268567

Vulnerability Discussion

USB devices connected to a Mac must be authorized.

[IMPORTANT]
====
This feature is removed if a smart card is paired or smart card attribute mapping is configured.
====

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

Satisfies: SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140

Check

Verify the macOS system is configured to authorize USB devices before allowing connection with the following command:

/usr/bin/osascript -l JavaScript << EOS
function run() {
let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
.objectForKey('allowUSBRestrictedMode'))
if ( pref1 == false ) {
return("false")
} else {
return("true")
}
}
EOS

If the result is not "true", this is a finding.

Fix

Configure the macOS system to authorize USB devices before allowing connection by installing the "com.apple.applicationaccess" configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.