STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apple macOS 14 (Sonoma) Security Technical Implementation Guide

V-259443

CAT II (Medium)

The macOS system must disable logon to other user's active and locked sessions.

Rule ID

SV-259443r1009579_rule

STIG

Apple macOS 14 (Sonoma) Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000764

Discussion

The ability to log in to another user's active or locked session must be disabled. macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information. Note: Configuring this setting will disable TouchID from unlocking the screensaver.

Check Content

Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command:

/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'

If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to disable login to other user's active and locked sessions with the following command:

/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"