Vulnerability Discussion
The ability to log in to another user's active or locked session must be disabled.
macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions. Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.
Note: Configuring this setting will disable TouchID from unlocking the screensaver.
Check
Verify the macOS system is configured to disable login to other user's active and locked sessions with the following command:
/usr/bin/security authorizationdb read system.login.screensaver 2>&1 | /usr/bin/grep -c 'authenticate-session-owner'
If the result is not "1", this is a finding.
Fix
Configure the macOS system to disable login to other user's active and locked sessions with the following command:
/usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner"