Information
The login keychain is a secure database store for passwords and certificates and is created for each user account on macOS. The system software itself uses keychains for secure storage. Anyone with physical access to an unlocked keychain where the screen is also unlocked can copy all passwords in that keychain. The approach recommended here is that the login keychain be set to lock when the computer sleeps to reduce the risk of password exposure. Organizations that use Firefox and Thunderbird will have a much different tolerance than those organization using keychain aware applications extensively.
Rationale:
While logged in, the keychain does not prompt the user for passwords for various systems and/or programs. This can be exploited by unauthorized users to gain access to password protected programs and/or systems in the absence of the user.
Impact:
The user may experience multiple prompts to unlock the keychain when waking from sleep.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Perform the following to set the login keychain to lock on sleep:
Graphical Method:
Open Keychain Access
Select the login keychain
Select Edit
Select Change Settings for keychain login
Set Lock when sleeping
Terminal Method:
For each user, run the following command to set the login keychain to sleep on lock:
$ sudo -u <username> security set-keychain-settings -l /Users/<username>/Library/Keychains/login.keychain
example:
$ sudo -u firstuser security set-keychain-settings -l /Users/firstuser/Library/Keychains/login.keychain