Navigate

Check: APPL-11-000003

Apple macOS 11 (Big Sur) STIG: APPL-11-000003 (in versions v1 r8 through v1 r7)

Title

The macOS system must initiate the session lock no more than five seconds after a screen saver is started. (Cat II impact)

Discussion

A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.

Check Content

To check if the system will prompt users to enter their passwords to unlock the screen saver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding.

Fix Text

This setting is enforced using the "Login Window Policy" configuration profile.

Additional Identifiers

Rule ID: SV-230745r877361_rule

Vulnerability ID: V-230745

Group Title: SRG-OS-000028-GPOS-00009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000056	The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-11	Session Lock