Check: AOSX-14-000003
Apple OS X 10.14 (Mojave) STIG:
AOSX-14-000003
(in versions v2 r6 through v1 r1)
Title
The macOS system must initiate the session lock no more than five seconds after a screen saver is started. (Cat II impact)
Discussion
A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.
Check Content
To check if the system will prompt users to enter their passwords to unlock the screen saver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay If there is no result, or if "askForPasswordDelay" is not set to "5.0" or less, this is a finding.
Fix Text
This setting is enforced using the "Login Window Policy" configuration profile.
Additional Identifiers
Rule ID: SV-209523r610285_rule
Vulnerability ID: V-209523
Group Title: SRG-OS-000028-GPOS-00009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000056 |
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |