CCI-000057 in U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at sales@fusiontsi.com to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000030-GPOS-00011
Group ID
V-268423
Rule Version
APPL-15-000005
Rule Title
The macOS system must configure user session lock when a smart token is removed.
Rule ID
SV-268423r1034209_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The screen lock must be configured to initiate automatically when the smart token is removed from the system.

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the information system but do not want to log out because of the temporary nature of their absences. While a session lock is not an acceptable substitute for logging out of an information system for longer periods of time, they prevent a malicious user from accessing the information system when a user has removed their smart token.

[IMPORTANT]

====

Information system security officers (ISSOs) may make the risk-based decision not to enforce a session lock when a smart token is removed to maintain necessary workflow capabilities, but they are advised to first fully weigh the potential risks posed to their organization.

====

Documentable
False
Check Content

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:

/usr/bin/osascript -l JavaScript << EOS

$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\

.objectForKey('tokenRemovalAction').js

EOS

If the result is not "1", this is a finding.

Check System
C-72453r1034207_chk
Fix Reference
F-72354r1034208_fix
Fix Text

Configure the macOS system to lock the user session when a smart token is removed by installing the "com.apple.security.smartcard" configuration profile.

NOTE: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the configuration profile.

Identities
CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

  • 800-53 :: AC-11 a
  • 800-53 Rev. 4 :: AC-11 a
  • 800-53 Rev. 5 :: AC-11 a
  • 800-53A :: AC-11.1 (ii)
Group Title
SRG-OS-000029-GPOS-00010
Group ID
V-268441
Rule Version
APPL-15-000070
Rule Title
The macOS system must enforce screen saver timeout.
Rule ID
SV-268441r1034263_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The screen saver timeout must be set to 900 seconds or a shorter length of time.

This rule ensures that a full session lock is triggered within no more than 900 seconds of inactivity.

Documentable
False
Check Content

Verify the macOS system is configured to initiate the screen saver timeout after 15 minutes of inactivity with the following command:

/usr/bin/osascript -l JavaScript << EOS

function run() {

let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\

.objectForKey('idleTime'))

if ( timeout <= 900 ) {

return("true")

} else {

return("false")

}

}

EOS

If the result is not "true", this is a finding.

Check System
C-72471r1034261_chk
Fix Reference
F-72372r1034262_fix
Fix Text

Configure the macOS system to initiate the screen saver after 15 minutes of inactivity by installing the "com.apple.screensaver" configuration profile.

Identities
CCI-000057

The information system initiates a session lock after the organization-defined time period of inactivity.

  • 800-53 :: AC-11 a
  • 800-53 Rev. 4 :: AC-11 a
  • 800-53 Rev. 5 :: AC-11 a
  • 800-53A :: AC-11.1 (ii)
UNCLASSIFIED