usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-16 14:02:07 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Dev sonoma issue344 (#365)

Browse Source 
* fix[rule]: updated to support ODV

Added ODV values to retain legacy values until CIS updates.

Issue #344

* chore[rule]: added note about restoring UX

* chore[rule]: added full paths to commands

---------

Co-authored-by: Dan Brodjieski <daniel.brodjieski@nasa.gov>
This commit is contained in:
Dan Brodjieski
2024-02-23 13:52:15 -05:00
committed by GitHub
parent f102dc9a6e
commit acf9665d80
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
rules/os/os_unlock_active_user_session_disable.yaml
View File

@@ -3,17 +3,17 @@ title: Disable Login to Other User's Active and Locked Sessions
discussion: |
The ability to log in to another user's active or locked session _MUST_ be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will disable TouchID from unlocking the screensaver.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile.
check: |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>$ODV</string>'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
/usr/bin/security authorizationdb write system.login.screensaver "$ODV"
----
references:
cce:
@@ -43,7 +43,13 @@ references:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- '14.0'
- "14.0"
odv:
hint: "Review the /System/Library/Security/authorization.plist file for more information."
recommended: "authenticate-session-owner"
cis_lvl1: "use-login-window-ui"
cis_lvl2: "use-login-window-ui"
stig: "authenticate-session-owner"
tags:
- 800-53r5_low
- 800-53r5_moderate