ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

Group Title

SRG-OS-000030-GPOS-00011

Group ID

V-257146

Rule Version

APPL-13-000005

Rule Title

The macOS system must be configured to lock the user session when a smart token is removed.

Rule ID

SV-257146r905071_rule

Rule Severity

● Medium

Rule Weight

10.0

Vuln Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems must provide users with the ability to manually invoke a session lock so users may secure their session should they need to temporarily vacate the immediate physical vicinity.

Documentable

False

Check Content

Verify the macOS system is configured to lock the user session when a smart token is removed with the following command:

/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "tokenRemovalAction"

tokenRemovalAction = 1;

If there is no result, or if "tokenRemovalAction" is not set to "1", this is a finding.

Check System

C-60831r905069_chk

Fix Reference

F-60772r905070_fix

Fix Text

Configure the macOS system to lock the user session when a smart token is removed by installing the "Smart Card Policy" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided with the STIG before applying the "Smart Card Policy".

Identities

CCI-000058

The information system provides the capability for users to directly initiate session lock mechanisms.

• 800-53 :: AC-11 a
• 800-53 Rev. 4 :: AC-11 a
• 800-53A :: AC-11