5.4 Automatically lock the login keychain for inactivity

Information

The login keychain is a secure database store for passwords and certificates and is created for each user account on Mac OS X. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. Application access to the login keychain does not keep it unlocked. If you set Apple Mail to check for email every 10 minutes using the keychain for credentials and the keychain to lock every 15 minutes if inactive it will still cause the keychain to lock. The approach recommended here is that the login keychain be set to periodically lock when inactive to reduce the risk of password exposure or unauthorized use of credentials by a third party. The time period that an organization uses will depend on how great the use is of keychain aware applications. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively. While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user. Timing out the keychain can reduce the exploitation window.

Solution

Perform the following to implement the prescribed state: Open Utilities Select Keychain Access Select a keychain Select Edit Select Change Settings for keychain <keychain_name> Authenticate, if requested. Change the Lock after # minutes of inactivity setting for the Login Keychain to an approved value that should be longer than 6 hours or 3600 minutes or based on the access frequency of the security credentials included in the keychain for other keychains. Impact: If the timeout is set too low on heavily used items the user will be annoyed and may use workarounds.

See Also

https://workbench.cisecurity.org/files/299

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13)

Plugin: Unix

Control ID: f5da8c87299100730bd6d27a5c05448b8b8fc9f412b0cdbf7e6a01e7db29b580