Free DISA STIG and SRG Library | Vaulted

V-81473

The macOS system must initiate the session lock no more than five seconds after a screen saver is started.

Finding ID
AOSX-13-000025
Rule ID
SV-96187r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000028-GPOS-00009
CCI
CCI-000056
Target Key
(None)
Documentable
No
Discussion

A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock.

Fix Text

This setting is enforced using the "Security and Privacy Policy" configuration profile.

Check Content

To check if the system will prompt users to enter their passwords to unlock the screen saver, run the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep askForPasswordDelay If there is no result, or if "askForPasswordDelay" is not set to "5.0" or less, this is a finding.