fix[rule]: change to correct value

added note explaining that TouchID is disabled for screensaver
usnistgov · Dec 1, 2023 · c52b7ff · c52b7ff
1 parent b0bead5
commit c52b7ff
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/rules/os/os_unlock_active_user_session_disable.yaml b/rules/os/os_unlock_active_user_session_disable.yaml
@@ -4,14 +4,16 @@ discussion: |
   The ability to log in to another user's active or locked session _MUST_ be disabled.
 
   macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active andlocked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
+
+  NOTE: Configuring this setting will disable TouchID from unlocking the screensaver.
 check: |
-  /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'use-login-window-ui'
+  /usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c '<string>authenticate-session-owner</string>'
 result:
   integer: 1
 fix: |
   [source,bash]
   ----
-  /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui"
+  /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"
   ----
 references:
   cce: