The OS X system must be configured to disable hot corners.

From Apple OS X 10.12 Security Technical Implementation Guide

Part of SRG-OS-000031-GPOS-00012

Associated with: CCI-000060

SV-90635r1_rule The OS X system must be configured to disable hot corners.

Vulnerability discussion

Although hot comers can be used to initiate a session lock or launch useful applications, they can also be configured to disable an automatic session lock from initiating. Such a configuration introduces the risk that a user might forget to manually lock the screen before stepping away from the computer.A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

Check content

To check if the system is configured to disable hot corners, run the following commands: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous-bl-corner = 0;" /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous-tl-corner = 0;" /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous-br-corner = 0;" /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep "wvous-tr-corner = 0;" If any of the commands returns no result, this is a finding.

Fix text

This setting is enforced using the "Custom Policy" configuration profile.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer