Big Sur - Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command

Information

The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----

/bin/cat > /etc/pam.d/sudo << SUDO_END
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
SUDO_END

/bin/chmod 444 /etc/pam.d/sudo
/usr/sbin/chown root:wheel /etc/pam.d/sudo
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), CCE|CCE-85276-4, CCI|CCI-000366, STIG-ID|APPL-11-003052

Plugin: Unix

Control ID: 85d8b8bd0a8d66b5c12a6a0466ff5d97747d2ef59236752226d6e0b3cc058832