Monterey - Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command

Information

The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----

/bin/cat > /etc/pam.d/sudo << SUDO_END
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
SUDO_END

/bin/chmod 444 /etc/pam.d/sudo
/usr/sbin/chown root:wheel /etc/pam.d/sudo
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), CCE|CCE-90879-8, CCI|CCI-000366

Plugin: Unix

Control ID: 59a7879f8bc4a0162da306255ec9a1d38f554b8348ed1f7b99b5f7e77bcbb9d2