Detections
Analytics
AOSX-15-003051 - The macOS system must be configured so that the su command requires smart card authentication.
Information
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Solution
Make a backup of the PAM SU settings using the following:cp /etc/pam.d/su /etc/pam.d/su_backup_'date '+%Y-%m-%d_%H:%M''
Replace the contents of '/etc/pam.d/su' with the following:
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R10_STIG.zip
Item Details
Audit Name: DISA STIG Apple Mac OSX 10.15 v1r10
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-225214r610901_rule, STIG-ID|AOSX-15-003051, STIG-Legacy|SV-111809, STIG-Legacy|V-102847, Vuln-ID|V-225214
Plugin: Unix
Control ID: d5ddf069a80cfca6a2b8ff9cceb58f6f72c533d5cf744b1cfecb2e3c018d31c4