The macOS system must configure user session lock when a smart token is removed.

STIG ID: APPL-14-000005  |  SRG: SRG-OS-000030-GPOS-00011 |  Severity: medium |  CCI: CCI-000058 |  Vulnerability Id: V-259421

Vulnerability Discussion

The screen lock must be configured to initiate automatically when the
smart token is removed from the system.

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity
of the information system but do not want to log out because of the temporary nature of their absence.
While a session lock is not an acceptable substitute for logging out of an information system for longer
periods of time, they prevent a malicious user from accessing the information system when a user has
removed their smart token.

Check

Verify the macOS system is configured to lock the user session when a smart token is
removed with the following command:

/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.smartcard')\
.objectForKey('tokenRemovalAction').js
EOS

If the result is not "1", this is a finding.

Fix

Configure the macOS system to lock the user session when a smart token
is removed by installing the "com.apple.security.smartcard" configuration profile.

Note: To ensure continued access to the operating system, consult the supplemental guidance provided
with the STIG before applying the configuration profile.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.