Navigate

Check: APPL-13-000003

Apple macOS 13 (Ventura) STIG: APPL-13-000003 (in versions v1 r4 through v1 r1)

Title

The macOS system must initiate the session lock no more than five seconds after a screen saver is started. (Cat II impact)

Discussion

A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.

Check Content

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "askForPasswordDelay" askForPasswordDelay = 5; If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding.

Fix Text

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "Login Window Policy" configuration profile.

Additional Identifiers

Rule ID: SV-257144r905065_rule

Vulnerability ID: V-257144

Group Title: SRG-OS-000028-GPOS-00009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000056	The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-11	Session Lock