5.6 Ensure login keychain is locked when the computer sleeps

Information

The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.

Rationale:

While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user.

Impact:

The user may experience multiple prompts to unlock the keychain when waking from sleep.

Solution

Perform the following to implement the prescribed state:

Open Utilities

Select Keychain Access

Select a keychain

Select Edit

Select Change Settings for keychain <keychain_name>

Authenticate, if requested.

Select Lock when sleeping setting

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13)

Plugin: Unix

Control ID: 48bdb2d332cb666908257fec5af9fba4da49c0c29f97e4a3b53d7b13dcb38525