Title

The macOS system must enforce smart card authentication. (Cat II impact)

Discussion

Smart card authentication must be enforced. The use of smart card credentials facilitates standardization and reduces the risk of unauthorized access. When enforceSmartCard is set to "true", the smart card must be used for logon, authorization, and unlocking the screensaver. CAUTION: enforceSmartCard will apply to the whole system. No users will be able to log on with their password unless the profile is removed or a user is exempt from smart card enforcement. Note: enforceSmartcard requires allowSmartcard to be set to true in order to work. Satisfies: SRG-OS-000067-GPOS-00035,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000112-GPOS-00057,SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161

Check Content

Verify the macOS system is configured to enforce multifactor authentication with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('enforceSmartCard').js EOS If the result is not "true", this is a finding.

Fix Text

Configure the macOS system to enforce multifactor authentication by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

Additional Identifiers

Rule ID: SV-259545r941257_rule

Vulnerability ID: V-259545

Group Title: SRG-OS-000067-GPOS-00035

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.