Big Sur - Enforce Multifactor Authentication for the su Command

Information

The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/bin/cat > /etc/pam.d/su << SU_END
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
SU_END

# Fix new file ownership and permissions
/bin/chmod 644 /etc/pam.d/su
/usr/sbin/chown root:wheel /etc/pam.d/su
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), CCE|CCE-85275-6, CCI|CCI-000366, STIG-ID|APPL-11-003051

Plugin: Unix

Control ID: 6a3bbe762059b6b5eaac7028a3e81d47298b1f1e9f432aaf4e674dba93531d6c