Detections
Analytics

2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled

Information

A locking screen saver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS, the screen saver starts after a value is selected in the drop-down menu. 20 minutes or less is an acceptable value. Any value can be selected through the command line or script, but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts.

Rationale:

Setting an inactivity interval for the screen saver prevents unauthorized persons from viewing a system left unattended for an extensive period of time.

Impact:

If the screen saver is not set, users may leave the computer available for an unauthorized person to access information.

Solution

Profile Method:

The PayloadType string is com.apple.screensaver

The key to include is idleTime

The key must be set to <integer><<=1200></integer>

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Additional Information:

To verify individual users:

Audit:

Graphical Method:

Perform the following steps to verify that the screen saver is set activate after less than or equal to 20 minutes of inactivity:

Open System Settings

Select Lock Screen

Verify that Start Screen Saver when inactive is set for 20 minutes or less (<=1200 seconds)

or

Open System Settings

Select Privacy & Security

Select Profiles

Verify that an installed profile has Idle Time set to <=1200

Terminal Method:

Run the following command to verify that the screen saver idle time of individual users is set to less than or equal to 20 minutes:

$ /usr/bin/sudo -u <username> /usr/bin/osascript -l JavaScript << EOS

function run() {

 let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')

 .objectForKey('idleTime'))

 if ( pref1 <= 1200 ) {

 return('true')

 } else {

 return('false')

 }

}

EOS

true

Note: If there is no output, then the setting has not been changed from the default and is considered not in compliance. Follow the remediation instructions to set the idle time to match your organization's policy.

Remediation:

Graphical Method:

Perform the following to set the screen saver to activate in 20 minutes or less:

Open System Settings

Select Lock Screen

Set Start Screen Saver when inactive to a selection that is 20 minutes or less (<=1200)

Terminal Method:

Run the following command to set individual users to an idle time of the screen saver is set to 20 minutes or less (<=1200):

$ /usr/bin/sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value <=1200>

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int 600

$ /usr/bin/sudo -u seconduser /usr/bin/defaults -currentHost read com.apple.screensaver idleTime

600

Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (1200) minutes to avoid any issues.

See Also

https://workbench.cisecurity.org/benchmarks/14561

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12, CSCv7|16.11

Plugin: Unix

Control ID: ab22c2da0a82abc149e983e634dad15ee5c241220974a8f96c5459062a36cc89