Detections
Analytics

5.11 Ensure system is set to hibernate

Information

In order to use a computer with Full Disk Encryption (FDE) macOS must keep encryption keys in memory to allow the use of the disk that has been FileVault protected. The storage volume has been unlocked and acts as if it was not encrypted. When the system is not in use the volume is protected through encryption. When the system is sleeping and available to quickly resume the encryption keys remain in memory.

If an unauthorized party has possession of the computer and the computer is only slept there are known attack vectors that can be attempted against the RAM that has the encryption keys or the running operating system that is protected by a login screen. Network attacks if network interfaces are on as well as USB or other open device ports are possible. Most of these attacks require knowledge of unpatched vulnerabilities or a high level of sophistication if all the other controls function as intended.

There is little impact on hibernating the system rather than sleeping after an appropriate time period to remediate the risk of OS level attacks. Hibernation writes the keys to desk and requires FileVault to be unlocked prior to the OS being available. In the case of unauthorized personnel with access to the computer encryption would have to be broken prior to attacking the operating system in order to recover data from the system.

https://www.helpnetsecurity.com/2018/08/20/laptop-sleep-security/

Mac systems should be set to hibernate after sleeping for a risk acceptable time period. The default value for 'standbydelay' is three hours (10800 seconds). This value is likely appropriate for most Desktops. If Mac desktops are deployed in unmonitored less physically secure areas with confidential data this value might be adjusted. The desktop or would have to retain power so that the running OS or physical RAM could be attacked however.

MacBooks should be set so that the standbydelay is 15 minutes (900 seconds) or less. This setting should allow laptop users in most cases to stay within physically secured areas while going to a conference room, auditorium or other internal location without having to unlock the encryption. When the user goes home at night the laptop will auto-hibernate after 15 minutes and require the FileVault password to unlock prior to logging back in to system when it resumes.

Rationale:

To mitigate the risk of data loss the system should power down and lock the encrypted drive after a specified time. Laptops should hibernate 15 minutes or less after sleeping.

Impact:

The laptop will take additional time to resume normal operation then if only sleeping rather than hibernating

Solution

Perform the following to configure laptops as prescribed:

Run the following command in Terminal:

sudo pmset -a standbydelay 900

Additional Information:

There are several good references to the concerns about ensuring hibernation rather than sleep is in place. A selection below:

http://mattwashchuk.com/articles/2016/01/08/maximizing-filevault-security

https://www.zdziarski.com/blog/?p=6705

https://www.howtogeek.com/260478/how-to-choose-when-your-mac-hibernates-or-enters-standby/

https://www.lifewire.com/change-mac-sleep-settings-2260804

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., 800-53|CM-8

Plugin: Unix

Control ID: 552033d65fbe873940c70dc6dce52cb96bbb693891ed1eed6b35fc93d1209964