APPL-14-000090 - The macOS system must disable logon to other user's active and locked sessions.

Information

The ability to log in to another user's active or locked session must be disabled.

macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Note: Configuring this setting will disable TouchID from unlocking the screensaver.

Solution

Configure the macOS system to disable login to other user's active and locked sessions with the following command:

/usr/bin/security authorizationdb write system.login.screensaver 'authenticate-session-owner'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CAT|II, CCI|CCI-000764, CCI|CCI-004045, Rule-ID|SV-259443r986249_rule, STIG-ID|APPL-14-000090, Vuln-ID|V-259443

Plugin: Unix

Control ID: 7ec9a04e27ff417c45ffa081531be72f42d5511ccccae065f08a01f8fe8c7f02