The macOS system must enforce session lock no more than five seconds after screen saver is started.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-268422 | APPL-15-000003 | SV-268422r1034206_rule | Medium |
Description |
A screen saver must be enabled and the system must be configured to require a password to unlock once the screen saver has been on for a maximum of five seconds. An unattended system with an excessive grace period is vulnerable to a malicious user. |
STIG | Date |
Apple macOS 15 (Sequoia) Security Technical Implementation Guide | 2025-05-05 |
Details
Check Text (C-72452r1034204_chk) |
Verify the macOS system is configured to initiate a session lock within five seconds of the screen saver starting with the following command: /usr/bin/osascript -l JavaScript << EOS function run() { let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('askForPasswordDelay')) if ( delay <= 5 ) { return("true") } else { return("false") } } EOS If the result is not "true", this is a finding. |
Fix Text (F-72353r1034205_fix) |
Configure the macOS system to initiate a session lock within five seconds of the screen saver starting by installing the "com.apple.screensaver" configuration profile. |