5.11 Disable ability to login to another user's active and locked session


OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.


Perform the following to implement the prescribed state: Run the following command in Terminal: sudo vi /etc/pam.d/screensaver Locate "account required pam_group.so no_warn group=admin,wheel fail_safe" Remove "admin," Save Impact: While Fast user switching is a workaround for some lab environments especially where there is even less of an expectation of privacy this setting change may impact some maintenance workflows

See Also


Item Details


References: 800-53|AC-10

Plugin: Unix

Control ID: 59bc0c49f8f852db562a55e1586645cf866223ea65c81dfcf7e5e87930a238a8