The macOS system must enforce multifactor authentication for login.
An XCCDF Rule
Description
<VulnDiscussion>The system must be configured to enforce multifactor authentication. All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access. NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000705-GPOS-00150</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-268544r1034572_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the macOS system to enforce multifactor authentication for login with the following commands:
/bin/cat > /etc/pam.d/login << LOGIN_END
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit