STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:SV-225215r610901_rule
V-225215
SRG-OS-000480-GPOS-00227
AOSX-15-003052
CAT II
10
Make a backup of the PAM SUDO settings using the following command:
cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/sudo" with the following:
# sudo: auth account password session
auth sufficient pam_smartcard.so
#auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
For systems that are not utilizing smart card authentication, this is Not Applicable.
To verify that the "sudo" command has been configured to require smart card authentication, run the following command:
cat /etc/pam.d/sudo | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
V-225215
False
AOSX-15-003052
For systems that are not utilizing smart card authentication, this is Not Applicable.
To verify that the "sudo" command has been configured to require smart card authentication, run the following command:
cat /etc/pam.d/sudo | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
M
4212