Detections
Analytics
2.6.8 Ensure an Administrator Password Is Required to Access System-Wide Preferences
Information
System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer.Rationale:
By requiring a password to unlock system-wide System Preferences, the risk of a user changing configurations that affect the entire system is mitigated and requires an admin user to re-authenticate to make changes.
Impact:
Users will need to enter their password to unlock some additional preference panes that are unlocked by default like Network, Startup and Printers & Scanners.
Solution
Graphical Method:Perform the following steps to verify that an administrator password is required to access system-wide preferences:
Open System Settings
Select Privacy & Security
Select Advanced
Set Require an administrator password to access system-wide settings to enabled
Terminal Method:
The authorizationdb settings cannot be written to directly, so the plist must be exported out to a temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings.
Run the following commands to enable that an administrator password is required to access system-wide preferences:
$ authDBs=('system.preferences' 'system.preferences.energysaver' 'system.preferences.network' 'system.preferences.printing' 'system.preferences.sharing' 'system.preferences.softwareupdate' 'system.preferences.startupdisk' 'system.preferences.timemachine')
for section in ${authDBs[@]}; do
/usr/bin/sudo /usr/bin/security -q authorizationdb read '$section' > '/tmp/$section.plist'
key_value=$(/usr/libexec/PlistBuddy -c 'Print :shared' '/tmp/$section.plist' 2>&1)
if [[ '$key_value' == *'Does Not Exist'* ]]; then
/usr/bin/sudo /usr/libexec/PlistBuddy -c 'Add :shared bool false' '/tmp/$section.plist'
else
/usr/bin/sudo /usr/libexec/PlistBuddy -c 'Set :shared false' '/tmp/$section.plist'
fi
/usr/bin/sudo /usr/bin/security -q authorizationdb write '$section' < '/tmp/$section.plist'
done
Note: Every audit and remediation incudes sudo before all commands. This is an exception because authdb is a variable and using sudo causes an error in the output.
See Also
Item Details
Audit Name: CIS Apple macOS 13.0 Ventura v2.0.0 L1
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Plugin: Unix
Control ID: 3bfe266af94413da01440fe258b213cf59f59f1cbb0e0eac0632894bb9fb8643