InformationThe login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. Application access to the login keychain does not keep it unlocked. If you set Apple Mail to check for email every 10 minutes using the keychain for credentials and the keychain to lock every 15 minutes if inactive it will still cause the keychain to lock. The approach recommended here is that the login keychain be set to periodically lock when inactive to reduce the risk of password exposure or unauthorized use of credentials by a third party. The time period that an organization uses will depend on how great the use is of keychain aware applications. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.
While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user. Timing out the keychain can reduce the exploitation window.
If the timeout is set too low on heavily used items the user will be annoyed and may use workarounds.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
SolutionPerform the following to implement the prescribed state:
Select Keychain Access
Select a keychain
Select Change Settings for keychain <keychain_name>
Authenticate, if requested.
Change the Lock after # minutes of inactivity setting for the Login Keychain to an approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.