APPL-14-003052 - The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.

Information

The system must be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.

All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization, or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.

Note: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057

Solution

Configure the macOS system to enforce multifactor authentication for privilege escalation through the sudo command with the following commands:

/bin/cat > /etc/pam.d/sudo << SUDO_END
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
SUDO_END

/bin/chmod 444 /etc/pam.d/sudo
/usr/sbin/chown root:wheel /etc/pam.d/sudo

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(8), CAT|II, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, CCI|CCI-001941, CCI|CCI-004047, Rule-ID|SV-259549r1009602_rule, STIG-ID|APPL-14-003052, Vuln-ID|V-259549

Plugin: Unix

Control ID: bbf2cfbffced4156025a871a92349d3a27f5695a9e4bf5f4c17789f56ae864f2