Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The ability for administrative accounts to unlock screen saver must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-25280 | OSX00200 M6 | SV-37214r1_rule | ECPA-1 PESL-1 | Medium |
| Description |
|---|
| The default setting creates a possible point of attack, because the more users in the admin group the more dependent on those users to protect their user names and passwords. By changing the rule in “system.login.screensaver” to “authenticatesession-owner”, users of the admin group cannot unlock the screen saver. |
| STIG | Date |
|---|---|
| MAC OSX 10.6 Workstation Security Technical Implementation Guide | 2013-04-09 |
Details
| Check Text ( C-35905r1_chk ) |
|---|
| Open a terminal session and enter the following command. more /etc/authorization Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, this is a finding. |
| Fix Text (F-31163r1_fix) |
|---|
| Open a terminal session and edit the following file. /etc/authorization Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. Save the file. |