5.4 Automatically lock the login keychain for inactivity


While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user. Timing out the keychain can reduce the exploitation window.


Perform the following to implement the prescribed state:
Open Utilities
Select Keychain Access
Select a keychain
Select Edit
Select Change Settings for keychain <keychain_name>
Authenticate, if requested.
Change the Lock after # minutes of inactivity setting for the Login Keychain to an approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains.

See Also


Item Details


References: 800-53|IA-5(13)

Plugin: Unix

Control ID: dacc9b35efb37b1851f25ba225c3bf5d81436091e29d23f6345a5676c92a1024