CCI-000056 in U Apple macOS 14 V2R3

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-259418

Rule Version

APPL-14-000001

Rule Title

The macOS system must prevent Apple Watch from terminating a session lock.

Rule ID

SV-259418r958400_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using authorized identification and authentication procedures.

Documentable

False

Check Content

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

.objectForKey('allowAutoUnlock').js

EOS

If the result is not "false", this is a finding.

Check System

C-63157r940874_chk

Fix Reference

F-63065r940875_fix

Fix Text

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "com.apple.applicationaccess" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-259419

Rule Version

APPL-14-000002

Rule Title

The macOS system must enforce screen saver password.

Rule ID

SV-259419r958400_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Users must authenticate when unlocking the screen saver.

The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.

Documentable

False

Check Content

Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('askForPassword').js

EOS

If the result is not "true", this is a finding.

Check System

C-63158r940877_chk

Fix Reference

F-63066r940878_fix

Fix Text

Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "com.apple.screensaver" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-259420

Rule Version

APPL-14-000003

Rule Title

The macOS system must enforce session lock no more than five seconds after screen saver is started.

Rule ID

SV-259420r958400_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

A screen saver must be enabled and the system must be configured to require a password to unlock once the screensaver has been on for a maximum of five seconds.

An unattended system with an excessive grace period is vulnerable to a malicious user.

Documentable

False

Check Content

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:

/usr/bin/osascript -l JavaScript << EOS

function run() {

let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('askForPasswordDelay'))

if ( delay <= 5 ) {

return("true")

} else {

return("false")

}

EOS

If the result is not "true", this is a finding.

Check System

C-63159r940880_chk

Fix Reference

F-63067r940881_fix

Fix Text

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "com.apple.screensaver" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-259517

Rule Version

APPL-14-002090

Rule Title

The macOS system must disable TouchID for unlocking the device.

Rule ID

SV-259517r958400_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

TouchID enables the ability to unlock a macOS system with a user's fingerprint.

TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID.

The system must remain locked until the user establishes access using an authorized identification and authentication method.

Documentable

False

Check Content

Verify the macOS system is configured to disable TouchID for unlocking the device with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

.objectForKey('allowFingerprintForUnlock').js

EOS

If the result is not "false", this is a finding.

Check System

C-63256r941171_chk

Fix Reference

F-63164r941172_fix

Fix Text

Configure the macOS system to disable TouchID for unlocking the device by installing the "com.apple.applicationaccess" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

UNCLASSIFIED