This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must disable login to other users' active and locked sessions.

STIG ID: APPL-15-000090  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium (CAT II)  |  CCI: CCI-000764,CCI-004045 |  Vulnerability Id: V-268442

Vulnerability Discussion

The ability to log in to another user's active or locked session must be disabled.

macOS has a privilege that can be granted to any user that will allow that user to unlock active users' sessions. Disabling the administrator's and/or user's ability to log in to another user's active and locked session prevents unauthorized people from viewing potentially sensitive and/or personal information.

NOTE: Configuring this setting will change the user experience and disable TouchID from unlocking the screen saver. To restore the user experience and allow TouchID to unlock the screen saver, run "/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow screenUnlockMode -int 1". This setting can also be deployed with a configuration profile.

Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000109-GPOS-00056

Check

Verify the macOS system is configured to disable login to other users' active and locked sessions with the following command:

/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable login to other users' active and locked sessions with the following command:

/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.