CCI-000057 in U Apple macOS 14 V2R2

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED

Group Title

SRG-OS-000030-GPOS-00011

Group ID

V-259421

Rule Version

APPL-14-000005

Rule Title

The macOS system must configure user session lock when a smart token is removed.

Rule ID

SV-259421r1009577_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The screen lock must be configured to initiate automatically when the smart token is removed from the system.

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absence. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.

Documentable

False

Check Content

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\

.objectForKey('tokenRemovalAction').js

EOS

If the result is not "1", this is a finding.

Check System

C-63160r940883_chk

Fix Reference

F-63068r940884_fix

Fix Text

Configure the macOS system to lock the user session when a smart token is removed by installing the "com.apple.security.smartcard" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

Identities

CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

800-53 :: AC-11 a
800-53 Rev. 4 :: AC-11 a
800-53 Rev. 5 :: AC-11 a
800-53A :: AC-11.1 (ii)

CCI-000058

The information system provides the capability for users to directly initiate session lock mechanisms.

800-53 :: AC-11 a
800-53 Rev. 4 :: AC-11 a
800-53A :: AC-11

Group Title

SRG-OS-000029-GPOS-00010

Group ID

V-259423

Rule Version

APPL-14-000009

Rule Title

The macOS system must prevent AdminHostInfo from being available at LoginWindow.

Rule ID

SV-259423r958402_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The system must be configured to not display sensitive information at the LoginWindow. The key AdminHostInfo when configured will allow the HostName, IP Address, and operating system version and build to be displayed.

Documentable

False

Check Content

Verify the macOS system is configured to prevent AdminHostInfo from being available at LoginWindow with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\

.objectIsForcedForKey('AdminHostInfo')

EOS

If the result is not "false", this is a finding.

Check System

C-63162r940889_chk

Fix Reference

F-63070r940890_fix

Fix Text

Configure the macOS system to prevent AdminHostInfo from being available at LoginWindow by installing the "com.apple.loginwindow" configuration profile.

Identities

CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

800-53 :: AC-11 a
800-53 Rev. 4 :: AC-11 a
800-53 Rev. 5 :: AC-11 a
800-53A :: AC-11.1 (ii)

Group Title

SRG-OS-000029-GPOS-00010

Group ID

V-259441

Rule Version

APPL-14-000070

Rule Title

The macOS system must enforce screen saver timeout.

Rule ID

SV-259441r958402_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

The screen saver timeout must be set to 900 seconds or a shorter length of time.

This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.

Documentable

False

Check Content

Verify the macOS system is configured to initiate the screen saver timeout after 15 minutes of inactivity with the following command:

/usr/bin/osascript -l JavaScript << EOS

function run() {

let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('idleTime'))

if ( timeout <= 900 ) {

return("true")

} else {

return("false")

}

EOS

If the result is not "true", this is a finding.

Check System

C-63180r940943_chk

Fix Reference

F-63088r940944_fix

Fix Text

Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "com.apple.screensaver" configuration profile.

Identities

CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

800-53 :: AC-11 a
800-53 Rev. 4 :: AC-11 a
800-53 Rev. 5 :: AC-11 a
800-53A :: AC-11.1 (ii)

UNCLASSIFIED