The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257144 | APPL-13-000003 | SV-257144r905065_rule | Medium |
| Description |
|---|
| A screen saver must be enabled and set to require a password to unlock. An excessive grace period impacts the ability for a session to be truly locked, requiring authentication to unlock. |
| STIG | Date |
|---|---|
| Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-08-28 |
Details
| Check Text ( C-60829r905063_chk ) |
|---|
| Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "askForPasswordDelay" askForPasswordDelay = 5; If there is no result, or if "askForPasswordDelay" is not set to "5" or less, this is a finding. |
| Fix Text (F-60770r905064_fix) |
|---|
| Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "Login Window Policy" configuration profile. |