Detections
Analytics

2.3.2 Ensure Screen Saver Corners Are Secure

Information

Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen.

Rationale:

Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system.

Solution

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.dock

The key to include is Forced

The key must be set to the following:

<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>wvous-bl-corner</key>
<integer><!=6></integer>
<key>wvous-br-corner</key>
<integer><!=6></integer>
<key>wvous-tl-corner</key>
<integer><!=6></integer>
<key>wvous-tr-corner</key>
<integer><!=6></integer>
</dict>
</dict>
</array>

Additional Information:

To verify individual users:

Audit:

Graphical Method:

Perform the following steps to ensure that a Hot Corner is not set to Disable Screen Saver:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select Hot Corners... and verify that Disable Screen Saver is not enabled

or

Open System Preferences

Select Profiles

Verify that an installed profile has <wvous-tl-corner>, <wvous-bl-corner>, <wvous-tr-corner>, and <wvous-br-corner> not set to 6

Terminal Method:

For all users, run the following commands to verify that Disable Screen Saver is not set as a Hot Corner:

$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-tl-corner

$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-bl-corner

$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-tr-corner

$ /usr/bin/sudo -u <username> /usr/bin/defaults read com.apple.dock wvous-br-corner

Verify that the output does not have 6 as a key value. Any other number, or an output that includes does not exist, is compliant.

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tl-corner

10

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-bl-corner

2020-07-31 14:32:29.018 defaults[39521:1276494]

The domain/default pair of (com.apple.dock, wvous-bl-corner) does not exist

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tr-corner

2020-07-31 14:32:32.403 defaults[39523:1276515]

The domain/default pair of (com.apple.dock, wvous-tr-corner) does not exist

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-br-corner

2020-07-31 14:32:36.045 defaults[39525:1276529]

The domain/default pair of (com.apple.dock, wvous-br-corner) does not exist

Remediation:

Graphical Method:

Perform the following steps to disable a Hot Corner set to Disable Screen Saver:

Open System Preferences

Select Desktop & Screen Saver

Select Screen Saver

Select Hot Corners... and set any corner that is set to Disable Screen Saver to another setting that corresponds to your organization's requirements

Terminal Method: Run the following command to turn off Disable Screen Saver for a Hot Corner:

$ /usr/bin/sudo -u <username> /usr/bin/defaults write com.apple.dock <corner that is set to '6'> -int 0

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults write com.apple.dock wvous-tl-corner -int 0

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read com.apple.dock wvous-tl-corner

0

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12, CSCv7|16.11

Plugin: Unix

Control ID: 57a1d0a2943a67ead3554eceb9a433bebcba38892ff091aacfdbf7b33dabfc92