Title

The macOS system must disable login to other users' active and locked sessions. (Cat II impact)

Discussion

The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active users' sessions. Disabling the administrator's and/or user's ability to log in to another user's active and locked session prevents unauthorized people from viewing potentially sensitive and/or personal information. NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screen saver. To restore the user experience and allow TouchID to unlock the screen saver, run "/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1". This setting can also be deployed with a configuration profile. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000109-GPOS-00056

Check Content

Verify the macOS system is configured to disable login to other users' active and locked sessions with the following command: /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>' If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to disable login to other users' active and locked sessions with the following command: /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"

Additional Identifiers

Rule ID: SV-268442r1034266_rule

Vulnerability ID: V-268442

Group Title: SRG-OS-000104-GPOS-00051

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.