Detections
Analytics

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.

Rationale:

Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.

Impact:

If the screen saver is not set, users may leave the computer available for an unauthorized person to access information.

Solution

Perform the following to set the screen saver to activate in 20 minutes or less:
Graphical Method:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select on option for Start after that is 20 minutes or less (<=1200)

Terminal Method:
Run the following command to verify that the idle time of the screen saver is set to 20 minutes or less (<=1200)

$ sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value <=1200>

example:

$ sudo /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600

If there are multiple users out of compliance with the prescribed setting, run this command for each user to set their idle time:

$ sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value <=1200>

example:

$ sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600

$ sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime

600

Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.
Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.screensaver.user

Add the key idleTime

Set the key to <integer><<=1200></integer>

See Also

https://workbench.cisecurity.org/files/4004

Item Details

References: CSCv7|16.11

Plugin: Unix

Control ID: e3735e0e5e514b693f56709473a3ecede091828652cb3ca293dfeabb9628fc61