An Extensible Firmware Interface (EFI) password must be used.

From MAC OSX 10.6 Workstation Security Technical Implementation Guide

Part of OSX00095-Require an Open Firmware or EFI password

Associated with IA controls: ECSC-1

SV-38510r1_rule An Extensible Firmware Interface (EFI) password must be used.

Vulnerability discussion

When a computer starts up, it first starts Extensible Firmware Interface (EFI). EFI is thesoftware link between the motherboard hardware and the software operating system.EFI determine which partition or disk to load Mac OS X from. It also determineswhether the user can enter single-user mode. Not setting a password for EFI is a possible point of intrusion. Protecting it from unauthorized access can prevent attackers from gaining access to a computer.

Check content

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Verify the "Require password to start this computer from another source" is selected. If not, this is a finding.

Fix text

Log in with an administrator account and open the Firmware Password Utility (located on the Mac OS X installation disc in /Applications/Utilities/). Click New. Select "Require password to start this computer from another source". In the Password and Verify fields, enter a new EFI password and click OK. Close the Firmware Password Utility.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.