6.1. Enforce Multifactor Authentication for Login
The system MUST be configured to enforce multifactor authentication.
All users MUST go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
/etc/pam.d/login will be automatically modified to its original state following any
update or major upgrade to the operating system.
To check the state of the system, run the following command(s):
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/login
If the result is not 2, this is a finding.
6.2. Enforce Multifactor Authentication for the su Command
The system MUST be configured such that, when the su command is used, multifactor authentication is enforced.
All users MUST go through multifactor authentication to prevent unauthenticated access and
potential compromise to the system.
To check the state of the system, run the following command(s):
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_rootok.so)' /etc/pam.d/su
If the result is not 2, this is a finding.
6.3. Enforce Multifactor Authentication for Privilege Escalation Through the sudo Command
The system MUST be configured to enforce multifactor authentication when the sudo command is
used to elevate privilege.
All users MUST go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
To check the state of the system, run the following command(s):
/usr/bin/grep -Ec '^(auth\s+sufficient\s+pam_smartcard.so|auth\s+required\s+pam_deny.so)' /etc/pam.d/sudo
If the result is not 2, this is a finding.
Jamf Extension Attribute; Cat the pam.d
#!/bin/bash
sudo=$( cat /etc/pam.d/sudo )
su=$( cat /etc/pam.d/su )
# echo -e "Sudo results:\n $sudo \n ••• \n Su results:\n $su "
echo -e "<result>Sudo results:\n $sudo \n ••• \n Su results:\n $su</result>"
exit 0
Link:
https://mrmacintosh.com/catalina-10-15-3-update-reverts-custom-pam-d-sshd_config-settings/