Monterey - Enforce Multifactor Authentication for the su Command

Information

The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/bin/cat > /etc/pam.d/su << SU_END
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
SU_END

# Fix new file ownership and permissions
/bin/chmod 644 /etc/pam.d/su
/usr/sbin/chown root:wheel /etc/pam.d/su
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), CCE|CCE-90878-0, CCI|CCI-000366

Plugin: Unix

Control ID: 20e1a988f5dd67baf9ea18e18d923d5188951201a41c33fb470fcee1f5254adb