All users must use PKI authentication for login and privileged access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-67673 | AOSX-11-002055 | SV-82163r2_rule | Medium |
| Description |
|---|
| Password-based authentication has become a prime target for malicious actors. Multifactor authentication using PKI technologies mitigates most, if not all, risks associated with traditional password use. (Use of username and password for last-resort emergency access to a system for maintenance is acceptable, however.) |
| STIG | Date |
|---|---|
| Apple OS X 10.11 Security Technical Implementation Guide | 2018-01-04 |
Details
| Check Text ( C-68239r2_chk ) |
|---|
| Ask the SA or ISSO if an approved PKI authentication solution is implemented on the system for user logins and privileged access. If an account can log in to the system or gain privileged access without a smart card, and it is not an emergency account, this is a finding. |
| Fix Text (F-73787r1_fix) |
|---|
| Implement PKI authentication using approved third-party PKI tools, to integrate with an existing directory services infrastructure or local password database, where no directory services infrastructure exists. |