Big Sur - Require Devices to Reauthenticate when Changing Authenticators

Information

The macOS should be configured to require users to reauthenticate when the device authenticator is changed.

Without reauthentication, users may access resources or perform tasks for which they are not authorization. When operating systems provide the capability to change device authenticators, it is critical the device reauthenticate.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-11, CCE|CCE-85366-3, CCI|CCI-002039

Plugin: Unix

Control ID: ac06bf43e19011a1b61eaa29798aab55871fe23e9c06a6fc2cc709ff2cb3999d