Check: APPL-14-000005
Apple macOS 14 (Sonoma) STIG:
APPL-14-000005
(in versions v1 r2 through v1 r1)
Title
The macOS system must configure user session lock when a smart token is removed. (Cat II impact)
Discussion
The screen lock must be configured to initiate automatically when the smart token is removed from the system. Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absence. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.
Check Content
Verify the macOS system is configured to lock the user session when a smart token is removed with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\ .objectForKey('tokenRemovalAction').js EOS If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to lock the user session when a smart token is removed by installing the "com.apple.security.smartcard" configuration profile. Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.
Additional Identifiers
Rule ID: SV-259421r940885_rule
Vulnerability ID: V-259421
Group Title: SRG-OS-000030-GPOS-00011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000058 |
The information system provides the capability for users to directly initiate session lock mechanisms. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |