Information
The system _MUST_ be configured such that, when the su command is used, multifactor authentication is enforced.
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
NOTE: /etc/pam.d/su will be automatically modified to its original state following any update or major upgrade to the operating system.
Solution
[source,bash]
----
/bin/cat > /etc/pam.d/su << SU_END
# su: auth account password session
auth sufficient pam_smartcard.so
auth required pam_rootok.so
auth required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe
account required pam_permit.so
account required pam_opendirectory.so no_check_shell
password required pam_opendirectory.so
session required pam_launchd.so
SU_END
# Fix new file ownership and permissions
/bin/chmod 644 /etc/pam.d/su
/usr/sbin/chown root:wheel /etc/pam.d/su
----