Monterey - Enforce Multifactor Authentication for Login

Information

The system _MUST_ be configured to enforce multifactor authentication.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
LOGIN_END


/bin/chmod 644 /etc/pam.d/login
/usr/sbin/chown root:wheel /etc/pam.d/login
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(8), CCE|CCE-90877-2, CCI|CCI-000366

Plugin: Unix

Control ID: 755fb84711da74afbf2d613ebebc123a89be3db85d22317fae0db28f8ba5875f