1.126 APPL-14-003050

Information

The macOS system must enforce multifactor authentication for logon.

GROUP ID: V-259547RULE ID: SV-259547r1009600

The system must be configured to enforce multifactor authentication.

All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.

Note: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057

Solution

Configure the macOS system to enforce multifactor authentication for login with the following commands:

/bin/cat > /etc/pam.d/login << LOGIN_END

login: auth account password session

auth sufficient pam_smartcard.soauth optional pam_krb5.so use_kcminitauth optional pam_ntlm.so try_first_passauth optional pam_mount.so try_first_passauth required pam_opendirectory.so try_first_passauth required pam_deny.soaccount required pam_nologin.soaccount required pam_opendirectory.sopassword required pam_opendirectory.sosession required pam_launchd.sosession required pam_uwtmp.sosession optional pam_mount.soLOGIN_END

/bin/chmod 644 /etc/pam.d/login/usr/sbin/chown root:wheel /etc/pam.d/login

Item Details

Audit Name: CIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II

Category: IDENTIFICATION AND AUTHENTICATION

Plugin: Unix

Control ID: da819fab5760517519caeb0da79f8174c63f8db9a1fb9658fff190424bcee441

Detections

Analytics

1.126 APPL-14-003050

Information

Solution

See Also

Item Details