The macOS system must disable logon to other user's active and locked sessions.

STIG ID: APPL-14-000090  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium |  CCI: CCI-000764,CCI-000770 |  Vulnerability Id: V-259443

Vulnerability Discussion

The ability to log in to another user's active or locked session must be
disabled.

macOS has a privilege that can be granted to any user that will allow that user to unlock active user's
sessions. Disabling the admins and/or user's ability to log into another user's active and locked
session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Note: Configuring this setting will disable TouchID from unlocking the screensaver.

Check

Verify the macOS system is configured to disable login to other user's active and locked
sessions with the following command:

/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable login to other user's active and
locked sessions with the following command:

/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.