False negative with V-268546 - The macOS system must enforce multifactor authentication for privilege escalation through the sudo command. #47

New Issue

michael · 2026-01-19T18:29:02Z

michael commented

2026-01-19 18:29:02 +00:00

Originally created by @vanderpol on GitHub.

Originally assigned to: @robertgendler on GitHub.

Summary

When scanning a clean macOS 15 system with no configuration, the check passes because the /etc/pam.d/sudo contains 'auth sufficient pam_smartcard.so', however the system is not configured to use smart cards, so this check should fail.

Steps to reproduce

Scan clean install of MacOS 15 with content downloaded on 07/01/2025

Operating System version

macOS 15

Intel or Apple Silicon

Apple Silicon Mac

What is the current bug behavior?

pass

What is the expected correct behavior?

fail

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)

Output of checks

Note: tst/obj/state ID's are changed from NIST content, as part of the DISA STIG conversion, so ignore ID numbers

Test ID: oval:mscp:tst:11201 (textfilecontent54_test)
Result: true
Title: auth_pam_sudo_smartcard_enforce_recommended_test
Check Existence: All collected items must exist.
Check: Result is based on check existence only.
Object ID: oval:mscp:obj:11201 (textfilecontent54_object)
Object Comment: auth_pam_sudo_smartcard_enforce_recommended_object
Object Requirements:
filepath must be equal to '/etc/pam.d/sudo'
pattern must match the pattern '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)'
instance must be equal to '1'
Collected Item/State Result:
[ exists ]
filepath equals '/etc/pam.d/sudo'
path equals '/etc/pam.d'
filename equals 'sudo'
pattern equals '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)'
instance equals '1'
text equals 'auth sufficient pam_smartcard.so'
subexpression equals 'auth sufficient pam_smartcard.so'

Possible fixes

Seems like this check may need to be ANDed to another check that mandates smart card usage?

Originally created by @vanderpol on GitHub. Originally assigned to: @robertgendler on GitHub. ### Summary When scanning a clean macOS 15 system with no configuration, the check passes because the /etc/pam.d/sudo contains 'auth sufficient pam_smartcard.so', however the system is not configured to use smart cards, so this check should fail. ### Steps to reproduce Scan clean install of MacOS 15 with content downloaded on 07/01/2025 ### Operating System version macOS 15 ### Intel or Apple Silicon Apple Silicon Mac ### What is the current *bug* behavior? pass ### What is the expected *correct* behavior? fail ### Relevant logs and/or screenshots (Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.) ### Output of checks Note: tst/obj/state ID's are changed from NIST content, as part of the DISA STIG conversion, so ignore ID numbers Test ID: oval:mscp:tst:11201 (textfilecontent54_test) Result: true Title: auth_pam_sudo_smartcard_enforce_recommended_test Check Existence: All collected items must exist. Check: Result is based on check existence only. Object ID: oval:mscp:obj:11201 (textfilecontent54_object) Object Comment: auth_pam_sudo_smartcard_enforce_recommended_object Object Requirements: filepath must be equal to '/etc/pam.d/sudo' pattern must match the pattern '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' instance must be equal to '1' Collected Item/State Result: [ exists ] filepath equals '/etc/pam.d/sudo' path equals '/etc/pam.d' filename equals 'sudo' pattern equals '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' instance equals '1' text equals 'auth sufficient pam_smartcard.so' subexpression equals 'auth sufficient pam_smartcard.so' ### Possible fixes Seems like this check may need to be ANDed to another check that mandates smart card usage?

michael closed this issue

2026-01-19 18:29:02 +00:00

michael commented

2026-01-19 18:29:02 +00:00

@robertgendler commented on GitHub:

Sooo I see the "issue"

In the yaml we're looking for /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo and the count of 2.

But when converted to OVAL it's just picking up the OR in there. I THINK. And so its say part of it match, we're good. I'll have to noodle over how to fix it.

We want both
auth sufficient pam_smartcard.so AND auth required pam_deny.so in there.

@robertgendler commented on GitHub: Sooo I see the "issue" In the yaml we're looking for /usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo and the count of 2. But when converted to OVAL it's just picking up the OR in there. I THINK. And so its say part of it match, we're good. I'll have to noodle over how to fix it. We want both auth sufficient pam_smartcard.so AND auth required pam_deny.so in there.

michael commented

2026-01-19 18:29:02 +00:00

@vanderpol commented on GitHub:

Just checking to see if this was able to be resolved for the next release?

@vanderpol commented on GitHub: Just checking to see if this was able to be resolved for the next release?

michael commented

2026-01-19 18:29:02 +00:00

@robertgendler commented on GitHub:

YES! Need to push the dev branch with the generate_scap script.

@robertgendler commented on GitHub: YES! Need to push the dev branch with the generate_scap script.

michael commented

2026-01-19 18:29:02 +00:00

@robertgendler commented on GitHub:

Resolved with updated oval 5.12 checks

@robertgendler commented on GitHub: Resolved with updated oval 5.12 checks

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#47