STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-209626r610285_rule
V-209626
SRG-OS-000480-GPOS-00227
AOSX-14-003050
CAT II
10
Make a backup of the PAM LOGIN settings using the following command:
sudo cp /etc/pam.d/login /etc/pam.d/login_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/login" with the following:
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
auth required pam_deny.so
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
To verify that the "login" command has been configured to require smart card authentication, run the following command:
# cat /etc/pam.d/login | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
V-209626
False
AOSX-14-003050
To verify that the "login" command has been configured to require smart card authentication, run the following command:
# cat /etc/pam.d/login | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
M
2930