New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CCE-28309-3] fast_user_switching #10

Closed
macosforgebot opened this Issue May 29, 2013 · 4 comments

Comments

@macosforgebot
Copy link

macosforgebot commented May 29, 2013

@DewSecGitHub originally submitted this as ticket:9

  • Version: Beta
  • Keywords: Settings, Review

CCE#: CCE-28309-3
Setting Name: fast_user_switching
Description:
Controls whether a user can use the OSX GUI to start or switch to a login session running as another user concurrently.

Parameters: N / A
Technical Mechanism: In .GlobalPreferences.plist, set the MultipleSessionEnabled key to false to disable fast user switching.

Reference: OSX 10.5 DoD Recommended Settings Document, 10.6 DISA STIG, CIS Security Configuration benchmark for 10.6.

Function: Authentication

Rationale: N / A


SOHO: disable fast user switching
Enterprise: disable fast user switching
SSLF: disable fast user switching


Additional Mechanism: N / A


OVAL Content: N / A


Comment:

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented May 29, 2013

@DewSecGitHub originally submitted this as comment:1:⁠ticket:9

  • Status changed from new to accepted
@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented May 30, 2013

dubs@… originally submitted this as comment:2:⁠ticket:9


Disabling FUS also helps protect against DMA attacks against FileVault 2.

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jun 6, 2013

plink53@… originally submitted this as comment:3:⁠ticket:9


NIST 800-53 AC-10 Concurrent Session Control applies to the same user running multiple sessions on the same computer. It does not address concurrent sessions by single users via multiple system accounts (admin, non-admin, guest). Therefore, I'm not sure there's a basis for turning this off other than site preference. I would imagine linux systems use this feature all the time and allowing admins on AD-controlled systems to logon with an admin user while a normal user is already logged on appears to perform the same thing FUS does.

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Aug 6, 2014

blank@… originally submitted this as comment:9:⁠ticket:9

  • Status changed from accepted to closed
  • Resolution set to R8 - Completed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment