CCI-000056 in U Apple macOS 15 V1R2

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-268420

Rule Version

APPL-15-000001

Rule Title

The macOS system must prevent Apple Watch from terminating a session lock.

Rule ID

SV-268420r1034200_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Apple Watches are not an approved authenticator and their use must be disabled.

Disabling Apple Watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.

NOTE: Unlocking the system with an Apple Watch is not an approved authenticator for U.S. Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.

Documentable

False

Check Content

Verify the macOS system is configured to prevent Apple Watch from terminating a session lock with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

.objectForKey('allowAutoUnlock').js

EOS

If the result is not "false", this is a finding.

Check System

C-72450r1034198_chk

Fix Reference

F-72351r1034199_fix

Fix Text

Configure the macOS system to prevent Apple Watch from terminating a session lock by installing the "com.apple.applicationaccess" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-268421

Rule Version

APPL-15-000002

Rule Title

The macOS system must enforce screen saver password.

Rule ID

SV-268421r1034203_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

Users must authenticate when unlocking the screen saver.

The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account.

Documentable

False

Check Content

Verify the macOS system is configured to prompt users to enter a password to unlock the screen saver with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('askForPassword').js

EOS

If the result is not "true", this is a finding.

Check System

C-72451r1034201_chk

Fix Reference

F-72352r1034202_fix

Fix Text

Configure the macOS system to prompt users to enter a password to unlock the screen saver by installing the "com.apple.screensaver" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-268422

Rule Version

APPL-15-000003

Rule Title

The macOS system must enforce session lock no more than five seconds after screen saver is started.

Rule ID

SV-268422r1034206_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of five seconds.

An unattended system with an excessive grace period is vulnerable to a malicious user.

Documentable

False

Check Content

Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command:

/usr/bin/osascript -l JavaScript << EOS

function run() {

let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('askForPasswordDelay'))

if ( delay <= 5 ) {

return("true")

} else {

return("false")

}

EOS

If the result is not "true", this is a finding.

Check System

C-72452r1034204_chk

Fix Reference

F-72353r1034205_fix

Fix Text

Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "com.apple.screensaver" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

Group Title

SRG-OS-000028-GPOS-00009

Group ID

V-268516

Rule Version

APPL-15-002090

Rule Title

The macOS system must disable TouchID for unlocking the device.

Rule ID

SV-268516r1034488_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

TouchID enables the ability to unlock a Mac system with a user's fingerprint.

TouchID must be disabled for "Unlocking your Mac" on all macOS devices that are capable of using TouchID.

The system must remain locked until the user establishes access using an authorized identification and authentication method.

NOTE: TouchID is not an approved biometric authenticator for U.S. Federal Government use as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.

Documentable

False

Check Content

Verify the macOS system is configured to disable TouchID for unlocking the device with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\

.objectForKey('allowFingerprintForUnlock').js

EOS

If the result is not "false", this is a finding.

Check System

C-72546r1034486_chk

Fix Reference

F-72447r1034487_fix

Fix Text

Configure the macOS system to disable TouchID for unlocking the device by installing the "com.apple.applicationaccess" configuration profile.

Identities

CCI-000056

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

800-53 :: AC-11 b
800-53 Rev. 4 :: AC-11 b
800-53 Rev. 5 :: AC-11 b
800-53A :: AC-11.1 (iii)

UNCLASSIFIED