usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
e98d16aec61cf26c812b78b31490d4e0a6911457
macos_security/rules/os/os_unlock_active_user_session_disable.yaml
Allen Golbig b00ae03b52 updates to tahoe
2025-11-06 12:03:22 -05:00

99 lines
3.4 KiB
YAML
Raw Blame History

id: os_unlock_active_user_session_disable
title: Disable Login to Other User's Active and Locked Sessions
discussion: |
The ability to log in to another user's active or locked session _MUST_ be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screensaver. A configuration profile will be generated to include the setting that restores the expected behavior. You can also apply the settings using `/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1`.
WARNING: Do not apply this rule if your organization uses smartcards and Platform Single Sign-On (PSSO).
check: |
RESULT="FAIL"
SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -)
if [[ "${SS_RULE}" == "$ODV" ]]; then
RESULT="PASS"
else
PSSO_CHECK=$(/usr/bin/security -q authorizationdb read "$SS_RULE" 2>&1 | /usr/bin/xmllint --xpath '//key[.="rule"]/following-sibling::array[1]/string/text()' -)
if /usr/bin/grep -Fxq "$ODV" <<<"$PSSO_CHECK"; then
RESULT="PASS"
fi
fi
echo $RESULT
result:
string: "PASS"
fix: |
[source,bash]
----
SS_RULE=$(/usr/bin/security -q authorizationdb read system.login.screensaver 2>&1 | /usr/bin/xmllint --xpath "//dict/key[.='rule']/following-sibling::array[1]/string/text()" -)
if [[ "$SS_RULE" == *psso* ]]; then
/usr/bin/security -q authorizationdb read psso-screensaver > "/tmp/psso-screensaver-mscp.plist"
/usr/bin/sed -i.bak 's/<string>authenticate-session-owner-or-admin<\/string>/<string>$ODV<\/string>/' /tmp/psso-screensaver-mscp.plist
/usr/bin/security -q authorizationdb write psso-screensaver-mscp < /tmp/psso-screensaver-mscp.plist
/usr/bin/security -q authorizationdb write system.login.screensaver psso-screensaver-mscp 2>&1
else
/usr/bin/security -q authorizationdb write system.login.screensaver "$ODV" 2>&1
fi
----
references:
cce:
- CCE-95328-1
cci:
- CCI-000764
- CCI-000770
- CCI-004045
800-53r5:
- IA-2
- IA-2(5)
800-53r4:
- IA-2
- IA-2(5)
disa_stig:
- APPL-26-000090
srg:
- SRG-OS-000109-GPOS-00056
- SRG-OS-000104-GPOS-00051
800-171r3:
- 03.05.01
cis:
benchmark:
- 5.7 (level 1)
controls v8:
- 4.3
cmmc:
- IA.L1-3.5.1
- IA.L1-3.5.2
macOS:
- '26.0'
odv:
hint: "Review the /System/Library/Security/authorization.plist file for more information."
recommended: "authenticate-session-owner"
cis_lvl1: "authenticate-session-owner"
cis_lvl2: "authenticate-session-owner"
stig: "authenticate-session-owner"
tags:
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-171
- cis_lvl1
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cmmc_lvl1
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.loginwindow:
screenUnlockMode: 1
Reference in New Issue View Git Blame Copy Permalink