New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CCE-28300-2] idle_time_for_screen_saver #2

Closed
macosforgebot opened this Issue May 29, 2013 · 5 comments

Comments

@macosforgebot
Copy link

macosforgebot commented May 29, 2013

@DewSecGitHub originally submitted this as ticket:1

  • Version: Beta
  • Keywords: Settings, Review

CCE#: CCE-28300-2
Setting Name: Setting Name idle_time_for_screen_saver
Description:
Specifies the maximum time the login window can be inactive before the screen saver starts. This is distinct from a user session's idle time. Setting to 900 seconds (15 minutes) instead of the OEM value of unlimited.

Parameters: N / A
Technical Mechanism: In loginwindow.plist, set the loginWindowIdleTime key = 900. If the key does not exist, idle time is unlimited.

Reference: N / A

Function: Authentication

Rationale: N / A


SOHO: 900 seconds
Enterprise: 900 seconds
SSLF: 900 seconds


Additional Mechanism: N / A


OVAL Content: N / A


Comment:

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented May 29, 2013

@DewSecGitHub originally submitted this as comment:1:⁠ticket:1

  • Status changed from new to accepted
  • Summary changed from [CCE-28300-2] Setting Name idle_time_for_screen_saver to [CCE-28300-2] idle_time_for_screen_saver
@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jun 3, 2013

dubs@… originally submitted this as comment:2:⁠ticket:1


This doesn't really seem like a security setting as you are already at the login window.

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jun 6, 2013

plink53@… originally submitted this as comment:3:⁠ticket:1


I'd like to add NIST SP800-53 rev4 and CNSSI-1253 rev2 (3/2012) references to these and other content.

AC-11 refers to session lock, preventing further access to the system by initiating a session lock after [Assignment:
organization-defined time period] of inactivity or upon receiving a request from a user.

AC-11 has different requirements depending on priority and baseline allocation (old CIA values). For low it's not required, for medium and high it also requires the use of a concealing screensaver. This references OMB Memorandum 06-16.

CNSSI-1253 (NSS systems only) specifies the time to be no more than 30 minutes.

There are other governing body's references and probably a better way to listing them for future use. I imagine we're just trying to get the tests configured right now but each of the tests could/do have a government requirement on their operation.

We've always used 10 minutes for the screen saver, now it has been expanded up to 30 minutes by CNSS. This value is up to the discretion of the organization's DAA and/or specific policy. Will there be an easy way to specify other setting values?


I have a question on this one as well. If someone uses Profiles (like GPOs), is this setting configured differently or does the Profile simply act as an alias to the loginwindow.plist file? If Profile Manager does it differently, I'd like to see an optional technical mechanism or a new CCE(?).

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Jul 22, 2013

dubs@… originally submitted this as comment:4:⁠ticket:1


In this case though there isn't a user session to secure. If no one has logged in yet there isn't a session to secure. Screensaver over login is simply for displaying information or preventing screen burn on CRT displays.

@macosforgebot

This comment has been minimized.

Copy link

macosforgebot commented Aug 6, 2014

blank@… originally submitted this as comment:6:⁠ticket:1

  • Status changed from accepted to closed
  • Resolution set to R8 - Completed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment