STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

DISA Rule

SV-225212r610901_rule

Vulnerability Number

V-225212

Group Title

SRG-OS-000105-GPOS-00052

Rule Version

AOSX-15-003020

Severity

CAT I

CCI(s)

• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.
• CCI-000877 - The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
• CCI-000765 - The information system implements multifactor authentication for network access to privileged accounts.
• CCI-000766 - The information system implements multifactor authentication for network access to non-privileged accounts.
• CCI-000767 - The information system implements multifactor authentication for local access to privileged accounts.
• CCI-000768 - The information system implements multifactor authentication for local access to non-privileged accounts.
• CCI-001948 - The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Weight

10

Fix Recommendation

For non-directory-bound systems, this setting is enforced using the "Smart Card Policy" configuration profile.

Note: Before applying the "Smart Card Policy", consult the supplemental guidance provided with the STIG to ensure continued access to the operating system.

The following commands must be run to disable passcode based authentication for SSHD:
/usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
/usr/bin/sudo /usr/bin/sed -i.bak 's/^[\#]*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

Check Contents

To verify that the system is configured to enforce multifactor authentication, run the following commands:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep enforceSmartCard

If the results do not show the following, this is a finding:

"enforceSmartCard=1.

Run the following command to disable password based authentication in SSHD:

/usr/bin/grep -e ^[\#]*PasswordAuthentication.* -e ^[\#]*ChallengeResponseAuthentication.* /etc/ssh/sshd_config

If this command returns null, or anything other than exactly the following text, with no leading hash(#), this is a finding:

"PasswordAuthentication no
ChallengeResponseAuthentication no"

Vulnerability Number

V-225212

Documentable

False

Rule Version

AOSX-15-003020

Severity Override Guidance

To verify that the system is configured to enforce multifactor authentication, run the following commands:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep enforceSmartCard

If the results do not show the following, this is a finding:

"enforceSmartCard=1.

Run the following command to disable password based authentication in SSHD:

/usr/bin/grep -e ^[\#]*PasswordAuthentication.* -e ^[\#]*ChallengeResponseAuthentication.* /etc/ssh/sshd_config

If this command returns null, or anything other than exactly the following text, with no leading hash(#), this is a finding:

"PasswordAuthentication no
ChallengeResponseAuthentication no"

Check Content Reference

M

Target Key

4212

Comments