I thought I would share a Custom Definition I created that identifies Mac OS X systems for which FileVault 2 is NOT enabled. I named it "MAC-FileVault2_Disabled_DetectOnly" for clarity. I chose "Mac OS X" and "Mac OS X Server" as the Affected Platforms. Perhaps I could also use an "Affected Product" to limit the search to OS X "Lion" or later, but as we don't deploy anything older (and LDMS hasn't supported earlier versions for some time now), we're pretty safe to assume that anything out there will have FV2 instead of the original FV.
The single Detection Rule, which I call "FileVault 2 Disabled" is a Custom Script:
#!/bin/bash
#ISMAC=TRUE
#set -x
declare -i detected=0
Reason=[QUOT]FileVault is Off.[QUOT]
Expected=[QUOT]FileVault is On.[QUOT]
Found=[QUOT]Filevault is disabled.[QUOT]
fdesetupstatus=`/usr/bin/fdesetup status`
if [ [QUOT]$fdesetupstatus[QUOT] == [QUOT]$Reason[QUOT] ]; then
detected=1
fi
echo [QUOT]Detected:$detected[QUOT]
if [ [QUOT]$detected[QUOT] == [QUOT]1[QUOT] ]; then
echo [QUOT]Reason:$Reason[QUOT]
echo [QUOT]Expected:$Expected[QUOT]
echo [QUOT]Found: $Found[QUOT]
fi
exit 0
It's basically just looking at the output of /usr/bin/fdesetup status and if it finds "FileVault is Off.," it reports the vulnerability is detected.