Detections
Analytics

2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled

Information

A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.

Rationale:

Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.

Impact:

If the screen saver is not set, users may leave the computer available for an unauthorized person to access information.

Solution

Profile Method:

The PayloadType string is com.apple.screensaver

The key to include is idleTime

The key must be set to <integer><<=1200></integer>

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Additional Information:

To verify individual users:

Audit:

The preferred audit procedure for this control will evaluate every user account on the computer and will report on all users where the value has been set. If the default value of 20 minutes is used and the user has never changed the setting, there will not be an audit result on their compliant setting. The time is set in seconds so all outputs will be in that format.

Perform the following to ensure the system is set for the screen saver to activate in 20 minutes or less:

Run this script to verify the idle times for all users:

UUID='ioreg -rd1 -c IOPlatformExpertDevice | grep 'IOPlatformUUID' | sed -e 's/^.* '(.*)'$/1/''

for i in $(find /Users -type d -maxdepth 1)

do

 PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID

 if [ -e $PREF.plist ]

 then

 echo -n 'Checking User: '$i': '

 defaults read $PREF.plist idleTime 2>&1

 fi

done

Note: If the output of the script includes The domain/default pair of (com.apple.screensaver, idleTime) does not exist for any user, then the setting has not been changed from the default. Follow the remediation instructions to set the idle time to match your organization's policy.

For Macs with a single user:

Graphical Method:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Verify that Start after is set for 20 minutes or less (<=1200)

Terminal Method:

Run the following command to verify that the screen saver idle time of individual users is set to less than or equal to 20 minutes:

$ /usr/bin/sudo -u <username> /usr/bin/osascript -l JavaScript << EOS

function run() {

 let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')

 .objectForKey('idleTime'))

 if ( pref1 <= 1200 ) {

 return('true')

 } else {

 return('false')

 }

}

EOS

true

Note: If there is no output, then the setting has not been changed from the default and is considered not in compliance. Follow the remediation instructions to set the idle time to match your organization's policy.

Remediation:

Graphical Method:

Perform the following steps to set the screen saver to activate in 20 minutes or less:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select on option for Start after that is 20 minutes or less (<=1200)

Terminal Method:

Run the following command to set individual users to an idle time of the screen saver is set to 20 minutes or less (<=1200):

$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value <=1200>

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime

600

Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.

See Also

https://workbench.cisecurity.org/benchmarks/14564

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12, CSCv7|16.11

Plugin: Unix

Control ID: c5d279b5f4605c7ce6ddbb2a2dfd16a0a2550c8e3952af86e10004301658a457