Check: APPL-14-000090
Apple macOS 14 (Sonoma) STIG:
APPL-14-000090
(in versions v1 r2 through v1 r1)
Title
The macOS system must disable logon to other user's active and locked sessions. (Cat II impact)
Discussion
The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. Note: Configuring this setting will disable TouchID from unlocking the screensaver.
Check Content
Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>' If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
Additional Identifiers
Rule ID: SV-259443r943108_rule
Vulnerability ID: V-259443
Group Title: SRG-OS-000104-GPOS-00051
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |