macOS 15 - Sequoia
The macOS system must enforce multifactor authentication for login
Description
The system must be configured to enforce multifactor authentication.All users must go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.IMPORTANT: Modification of Pluggable Authentication Modules (PAM) now requires user authorization or use of a Privacy Preferences Policy Control (PPPC) profile from MDM that authorizes modifying system administrator files or full disk access.NOTE: /etc/pam.d/login will be automatically modified to its original state following any update or major upgrade to the operating system.Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000705-GPOS-00150
Check
Verify the macOS system is configured to enforce multifactor authentication for login with the following command:/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/loginIf the result is not "2", this is a finding.
Fix
Configure the macOS system to enforce multifactor authentication for login with the following commands:/bin/cat > /etc/pam.d/login << LOGIN_END# login: auth account password sessionauth sufficient pam_smartcard.soauth optional pam_krb5.so use_kcminitauth optional pam_ntlm.so try_first_passauth optional pam_mount.so try_first_passauth required pam_opendirectory.so try_first_passauth required pam_deny.soaccount required pam_nologin.soaccount required pam_opendirectory.sopassword required pam_opendirectory.sosession required pam_launchd.sosession required pam_uwtmp.sosession optional pam_mount.soLOGIN_END/bin/chmod 644 /etc/pam.d/login/usr/sbin/chown root:wheel /etc/pam.d/login