macos_security
macos_security copied to clipboard
usnistgov
os_hibernate_mode_enable: remediation is not effective
Summary
os_hibernate_mode_enable: remediation is not effective
Steps to reproduce
On a fresh system, execute the compliance script generated from baseline (e.g. https://github.com/usnistgov/macos_security/blob/main/baselines/cis_lvl2.yaml) which includes this rule, and apply remediation with "3. Run Commands to remediate non-compliant settings". Run the "2. Run New Compliance Scan" again.
Operating System version
sw_vers
# Output:
# ProductName: macOS
# ProductVersion: 12.5.1
# BuildVersion: 21G83
What is the current bug behavior?
os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0})
The following commands appear not effective
https://github.com/usnistgov/macos_security/blob/06cc0d2614da5b6f478b6f1ff45b059bb7c6aa5a/rules/os/os_hibernate_mode_enable.yaml#L28-L34
After their execution the following is reported by pmset:
/usr/bin/pmset -g
# Output:
# System-wide power settings:
# DestroyFVKeyOnStandby 1
# Currently in use:
# standby 1
# Sleep On Power Button 1
# hibernatefile /var/vm/sleepimage
# powernap 1
# disksleep 10
# sleep 1 (sleep prevented by powerd)
# hibernatemode 3
# ttyskeepawake 1
# displaysleep 2
# tcpkeepalive 1
# lowpowermode 0
See https://apple.stackexchange.com/questions/434372/cant-find-standbydelayhigh-and-standbydelaylow-on-macbook-pro-2021 for discussion.
The following line appears unused in the check
https://github.com/usnistgov/macos_security/blob/06cc0d2614da5b6f478b6f1ff45b059bb7c6aa5a/rules/os/os_hibernate_mode_enable.yaml#L12
I'm not sure if it should be removed, or covered by a check. See for example discussion at https://www.techrepublic.com/article/how-to-ensure-the-integrity-of-your-encrypted-drive-while-its-hibernating-in-macos/
What is the expected correct behavior?
os_hibernate_mode_enable passed (Result: 0, Expected: {integer: 0})
or another "passed" check output as needed.
Relevant logs and/or screenshots
Output of checks
# os_hibernate_mode_enable failed (Result: 3, Expected: {integer: 0})
Possible fixes
Unknown
Is this an Apple Silicon Mac or Intel?
I believe what you're running into is fixed on the OS branches https://github.com/usnistgov/macos_security/blob/monterey/rules/os/os_hibernate_mode_enable.yaml
Check out the OS branches for the most up to date.
As @robertgendler mentioned, we are recommending those settings for Intel machines only. For Apple Silicon we have these settings:
$ sudo pmset -a standby <value≤900>
$ sudo pmset -a destroyfvkeyonstandby 1
$ sudo pmset -a hibernatemode 25
Also, hibernatemode 25 is not included, which is what sets the proper hibernate mode we require.
Thanks, it's Apple Silicon M1. It was not clear to me how braches are used, but got an answer in https://github.com/usnistgov/macos_security/issues/132#issuecomment-1230282160. Following this I have some suggestions:
- first time users may find helpful if there is a pinned issue that describes the branching strategy and approxiate timelines or the releases,
- the issue template section "Operating System version" could suggest a command line
sw_vers && system_profiler SPHardwareDataType | grep "Chip:". I'm not sure how portable is this.
Good idea with the issue template update. We made that a long long time ago. So I think we should update that.