STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230841r599842_rule
V-230841
SRG-OS-000480-GPOS-00227
APPL-11-003052
CAT II
10
Make a backup of the PAM SUDO settings using the following command:
cp /etc/pam.d/sudo /etc/pam.d/sudo_backup_`date "+%Y-%m-%d_%H:%M"`
Replace the contents of "/etc/pam.d/sudo" with the following:
# sudo: auth account password session
auth sufficient pam_smartcard.so
#auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
# sudo: auth account password session
auth sufficient pam_smartcard.so
#auth required pam_opendirectory.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
For systems that are not utilizing smart card authentication, this is Not Applicable.
To verify that the "sudo" command has been configured to require smart card authentication, run the following command:
cat /etc/pam.d/sudo | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
V-230841
False
APPL-11-003052
For systems that are not utilizing smart card authentication, this is Not Applicable.
To verify that the "sudo" command has been configured to require smart card authentication, run the following command:
cat /etc/pam.d/sudo | grep -i pam_smartcard.so
If the text that returns does not include the line, "auth sufficient pam_smartcard.so" at the TOP of the listing, this is a finding.
M
5246