2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver

Information

A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.

Rationale:

Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.

Impact:

If the screensaver is not set users may leave the computer available for an unauthorized person to access information.

Solution

Perform the following to set the screen saver to activate in 20 minutes of less:
Graphical Method:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select on option for Start after that is 20 minutes of less (1200)

Terminal Method:
Run the following command to verify that the idle time of the screen saver to 20 minutes of less (1200)

$ sudo -u <username> defaults -currentHost write com.apple.screensaver idleTime -int <value 1200>

example:

$ sudo defaults -currentHost write com.apple.screensaver idleTime -int 600

If there are multiple users out of compliance with the prescribed setting, run this command for each user to set their idle time:

$ sudo -u <username> defaults -currentHost write com.apple.screensaver idleTime -int <value 1200>

example:

$ sudo -u seconduser defaults -currentHost write com.apple.screensaver idleTime -int 600

$ sudo -u seconduser defaults -currentHost read com.apple.screensaver idleTime

600

Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (120) minutes to avoid any issues.

See Also

https://workbench.cisecurity.org/files/3195

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11, CSCv7|16.11

Plugin: Unix

Control ID: 8a61e6ac12e728fbd24d25d9b8fffe669286c926d503b084406cce912d3909bc