← Back to Apple macOS 15 (Sequoia) Security Technical Implementation Guide

V-268565

CAT II (Medium)

The macOS system must enable Authenticated Root.

Rule ID

SV-268565r1137691_rule

STIG

Apple macOS 15 (Sequoia) Security Technical Implementation Guide

Version

V1R7

CCIs

CCI-000213

Discussion

Authenticated Root must be enabled. When Authenticated Root is enabled, the macOS is booted from a signed volume that is cryptographically protected to prevent tampering with the system volume. NOTE: Authenticated Root is enabled by default on macOS systems. WARNING: If more than one partition with macOS is detected, the csrutil command will hang awaiting input.

Check Content

Verify the macOS system is configured to enable authenticated root with the following command:

/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"

If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to enable authenticated root with the following command:

/usr/bin/csrutil authenticated-root enable

NOTE: To reenable "Authenticated Root", boot the affected system into "Recovery" mode, launch "Terminal" from the "Utilities" menu, and run the command.