mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-03-05 01:23:18 +00:00
69 lines
1.6 KiB
YAML
69 lines
1.6 KiB
YAML
id: auth_smartcard_enforce
|
|
title: "Enforce Smartcard Authentication"
|
|
discussion: |
|
|
Smartcard authentication _MUST_ be enforced.
|
|
|
|
The use of smartcard credentials facilitates standardization and reduces the risk of unauthorized access.
|
|
|
|
When enforceSmartCard is set to “true”, the smartcard must be used for login, authorization, and unlocking the screensaver.
|
|
|
|
CAUTION: enforceSmartCard will apply to the whole system. No users will be able to login with their password unless the profile is removed or a member of the NotEnforced group.
|
|
|
|
NOTE: enforceSmartcard requires allowSmartcard to be set to true in order to work.
|
|
check: |
|
|
/usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'enforceSmartCard = 1'
|
|
result:
|
|
integer: 1
|
|
fix: |
|
|
This is implemented by a Configuration Profile.
|
|
references:
|
|
cce:
|
|
- CCE-84727-7
|
|
cci:
|
|
- CCI-000187
|
|
- CCI-000765
|
|
- CCI-000766
|
|
- CCI-000767
|
|
- CCI-000768
|
|
- CCI-000877
|
|
- CCI-001948
|
|
800-53r4:
|
|
- IA-2
|
|
- IA-2(1)
|
|
- IA-2(2)
|
|
- IA-2(3)
|
|
- IA-2(4)
|
|
- IA-2(6)
|
|
- IA-2(11)
|
|
- IA-5(2)
|
|
srg:
|
|
- SRG-OS-000068-GPOS-00036
|
|
- SRG-OS-000105-GPOS-00052
|
|
- SRG-OS-000106-GPOS-00053
|
|
- SRG-OS-000107-GPOS-00054
|
|
- SRG-OS-000108-GPOS-00055
|
|
- SRG-OS-000125-GPOS-00065
|
|
- SRG-OS-000375-GPOS-00160
|
|
disa_stig:
|
|
- AOSX-14-003020
|
|
- AOSX-14-003024
|
|
- AOSX-14-003005
|
|
- AOSX-14-003025
|
|
800-171r2:
|
|
- 3.5.1
|
|
- 3.5.2
|
|
- 3.5.3
|
|
macOS:
|
|
- "10.15"
|
|
tags:
|
|
- 800-171
|
|
- cnssi-1253
|
|
- fisma-low
|
|
- fisma-moderate
|
|
- fisma-high
|
|
- STIG
|
|
mobileconfig: true
|
|
mobileconfig_info:
|
|
com.apple.security.smartcard:
|
|
enforceSmartCard: true
|