Title

The macOS system must enforce auto logout after 86400 seconds of inactivity. (Cat II impact)

Discussion

Auto logout must be configured to automatically terminate a user session and log out after 86400 seconds of inactivity. Note: The maximum that macOS can be configured for autologoff is 86400 seconds. [IMPORTANT] ==== The automatic logout may cause disruptions to an organization's workflow and/or loss of data. Information system security officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting to disable the automatic logout setting. ====

Check Content

Verify the macOS system is configured to enforce auto logout after 86400 seconds of inactivity with the following command: /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('.GlobalPreferences')\ .objectForKey('com.apple.autologout.AutoLogOutDelay').js EOS If the result is not "86400", this is a finding.

Fix Text

Configure the macOS system to enforce auto logout after 86400 seconds of inactivity by installing the "com.apple.GlobalPreferences" configuration profile.

Additional Identifiers

Rule ID: SV-277056r1148620_rule

Vulnerability ID: V-277056

Group Title: SRG-OS-000279-GPOS-00109

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.