5.5 Ensure login keychain is locked when the computer sleeps

Information

The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organizations using keychain aware applications extensively.

In previous versions of the Benchmark there were recommendations for inactivity timeouts and maintaining individual keychains. The user experience with a short inactivity timeout is difficult. Users will be unlocking the keychain often to all keychain aware applications access. This benchmark lengthened the inactivity timeout substantially in the past to keep the inactivity control. At this time it has been dropped. The compensating controls of a screen lock, lock when sleeping, and the built-in keychain encryption make the control allows for a small residual risk.

Early guidance, including in this Benchmark, recommended the use of additional keychains as needed to separate confidentiality levels or separate user domains (work, school, volunteer groups...) At his point, particularly with the availability of iCloud Keychain key segregation is a niche use case. Recent recommendations on distinct keychains is very rare.

Rationale:

While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password-protected programs and/or systems in the absence of the user.

Impact:

The user may experience multiple prompts to unlock the keychain when waking from sleep.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following to set the login keychain to lock on sleep:
Graphical Method:

Open Keychain Access

Select the login keychain

Select Edit

Select Change Settings for keychain login

Set Lock when sleeping

Terminal Method:
For each user, run the following command to set the login keychain to sleep on lock:

$ sudo -u <username> security set-keychain-settings -l /Users/<username>/Library/Keychains/login.keychain

example:

$ sudo -u firstuser security set-keychain-settings -l /Users/firstuser/Library/Keychains/login.keychain

See Also

https://workbench.cisecurity.org/files/3569