usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
252852d3d24cff526b06a606a32d8529087900df
macos_security/rules/os/os_unlock_active_user_session_disable.yaml
Bob Gendler 8a6f58844d refactor[rule] Added warning 
Added warning about using os_unlock_active_user_session_disable with platformSSO.
2025-06-26 11:42:03 -04:00

76 lines
2.2 KiB
YAML
Raw Blame History

id: os_unlock_active_user_session_disable
title: Disable Login to Other User's Active and Locked Sessions
discussion: |
The ability to log in to another user's active or locked session _MUST_ be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. To restore the user experience and allow TouchID to unlock the screensaver, you can run `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`. This setting can also be deployed with a configuration profile.
WARNING: This rule may cause issues when platformSSO is configured.
check: |
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>$ODV</string>'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/security authorizationdb write system.login.screensaver "$ODV"
----
references:
cce:
- CCE-94322-5
cci:
- CCI-000764
- CCI-000770
- CCI-004045
800-53r5:
- IA-2
- IA-2(5)
800-53r4:
- IA-2
- IA-2(5)
disa_stig:
- APPL-15-000090
srg:
- SRG-OS-000109-GPOS-00056
- SRG-OS-000104-GPOS-00051
800-171r3:
- 03.05.01
cis:
benchmark:
- 5.7 (level 1)
controls v8:
- 4.3
cmmc:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- '15.0'
odv:
hint: "Review the /System/Library/Security/authorization.plist file for more information."
recommended: "authenticate-session-owner"
cis_lvl1: "authenticate-session-owner"
cis_lvl2: "authenticate-session-owner"
stig: "authenticate-session-owner"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cis_lvl1
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: false
mobileconfig_info:
Reference in New Issue View Git Blame Copy Permalink