5.4 Automatically lock the login keychain for inactivity

Information

While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user. Timing out the keychain can reduce the exploitation window.

Solution

Perform the following to implement the prescribed state:
Open Utilities
Select Keychain Access
Select a keychain
Select Edit
Select Change Settings for keychain <keychain_name>
Authenticate, if requested.
Change the Lock after # minutes of inactivity setting for the Login Keychain to an approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.

See Also

https://workbench.cisecurity.org/files/300

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13)

Plugin: Unix

Control ID: 8bb4977ee8cad5cdecc2e6d37a243d2fcd76be4e681ca8bb649d512619442986