APPL-14-003050 - The macOS system must enforce multifactor authentication for logon.

Information

The system must be configured to enforce multifactor authentication.

All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.

Note: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057

Solution

Configure the macOS system to enforce multifactor authentication for login with the following commands:

/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END

/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(8), CAT|II, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, CCI|CCI-001941, CCI|CCI-004047, Rule-ID|SV-259547r1009600_rule, STIG-ID|APPL-14-003050, Vuln-ID|V-259547

Plugin: Unix

Control ID: ac29e8aed337d21d2d002f92435cb1bc942261267392519a69ba9287a94c2b8a