The macOS system must enforce multifactor authentication for logon.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259547	APPL-14-003050	SV-259547r986267_rule		Medium

Description
The system must be configured to enforce multifactor authentication. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. Note: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057

Description

The system must be configured to enforce multifactor authentication. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. Note: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057

STIG	Date
Apple macOS 14 (Sonoma) Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-63286r941261_chk )
Verify the macOS system is configured to enforce multifactor authentication for login with the following command: /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so\|auth\s+required\s+pam_deny.so)' /etc/pam.d/login If the result is not "2", this is a finding.

Fix Text (F-63194r941262_fix)
Configure the macOS system to enforce multifactor authentication for login with the following commands: /bin/cat > /etc/pam.d/login << LOGIN_END # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_deny.so account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so LOGIN_END /bin/chmod 644 /etc/pam.d/login /usr/sbin/chown root:wheel /etc/pam.d/login

Fix Text (F-63194r941262_fix)

Configure the macOS system to enforce multifactor authentication for login with the following commands:

/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END

/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login