Big Sur - Enforce Multifactor Authentication for Login

Information

The system _MUST_ be configured to enforce multifactor authentication.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END


/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(8), 800-53|IA-5(11), CCE|CCE-85274-9, CCI|CCI-000366, STIG-ID|APPL-11-003050

Plugin: Unix

Control ID: 9de51462ab0a6aee290b64a23217c28596dcdf00b13e510239aac80f85f41738