STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must be configured so that the sudo command requires smart card authentication.

DISA Rule

SV-209628r610285_rule

Vulnerability Number

V-209628

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AOSX-14-003052

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Make a backup of the PAM SUDO settings using the following command:
cp /etc/pam.d/login /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`

Replace the contents of "/etc/pam.d/login" with the following:

# sudo: auth account password session
auth sufficient pam_smartcard.so
#auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

Check Contents

To verify that the "sudo" command has been configured to require smart card authentication, run the following command:

cat /etc/pam.d/sudo | grep -i pam_smartcard.so

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.

Vulnerability Number

V-209628

Documentable

False

Rule Version

AOSX-14-003052

Severity Override Guidance

To verify that the "sudo" command has been configured to require smart card authentication, run the following command:

cat /etc/pam.d/sudo | grep -i pam_smartcard.so

If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.

Check Content Reference

M

Target Key

2930

Comments