The macOS system must disable logon to other user's active and locked sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259443	SRG-OS-000104-GPOS-00051	APPL-14-000090	SV-259443r1009579_rule	2024-12-04	2

Description
The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. Note: Configuring this setting will disable TouchID from unlocking the screensaver.

Description

The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. Note: Configuring this setting will disable TouchID from unlocking the screensaver.

ℹ️ Check
Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb read system.login.screensaver 2>&1 \| /usr/bin/grep -c '<string>authenticate-session-owner</string>' If the result is not "1", this is a finding.

✔️ Fix
Configure the macOS system to disable login to other user's active and locked sessions with the following command: /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"