2.4.6 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled

Information

Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use.

Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.

Solution

Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps:

% /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password>

or

% /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password>

Impact:

Without a screen lock in place, anyone with physical access to the computer would be logged in and able to use the active user's session.

See Also

https://workbench.cisecurity.org/benchmarks/17467

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|4.2

Plugin: Unix

Control ID: fa84817972f1a60b8b7ce62a73ef7885d0003b5ede1287fa6bdc9a699bf2fa24