Check: APPL-11-000001
Apple macOS 11 (Big Sur) STIG:
APPL-11-000001
(in versions v1 r8 through v1 r1)
Title
The macOS system must be configured to prevent Apple Watch from terminating a session lock. (Cat II impact)
Discussion
Users must be prompted to enter their passwords when unlocking the screen saver. The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.
Check Content
To check if the system is configured to prevent Apple Watch from terminating a session lock, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "allowAutoUnlock" allowAutoUnlock = 0; If there is no result or "allowAutoUnlock" is not set to "0", this is a finding.
Fix Text
This setting is enforced using the “Restrictions Policy" configuration profile.
Additional Identifiers
Rule ID: SV-230743r599842_rule
Vulnerability ID: V-230743
Group Title: SRG-OS-000028-GPOS-00009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000056 |
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |