STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must be configured so that the su command requires smart card authentication.

DISA Rule

SV-209627r610285_rule

Vulnerability Number

V-209627

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AOSX-14-003051

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Make a backup of the PAM SU settings using the following command:
cp /etc/pam.d/su /etc/pam.d/su_backup_`date "+%Y-%m-%d_%H:%M"`

Replace the contents of "/etc/pam.d/login" with the following:

# su: auth account session
auth sufficient pam_smartcard.so
#auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

Check Contents

To verify that the "su" command has been configured to require smart card authentication, run the following command:

cat /etc/pam.d/su | grep -i pam_smartcard.so

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.

Vulnerability Number

V-209627

Documentable

False

Rule Version

AOSX-14-003051

Severity Override Guidance

To verify that the "su" command has been configured to require smart card authentication, run the following command:

cat /etc/pam.d/su | grep -i pam_smartcard.so

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.

Check Content Reference

M

Target Key

2930

Comments