Details
By default, the keychain for an account, especially a local account, has the same password as the account’s login password. It is possible to change the passwords on keychains to something different than the login password, and doing so would keep that keychain locked until needed after login. This is especially important when a smartcard is being used for console login. Keychains need to be protected by more than a pin in order to be secured and the default behavior with a smartcard will result in a pin for the login password. Individual keychain entries can have special ACLs to increase security as well.
Rationale:
Each keychain entry can have different access controls. It’s possible to set the keychain item to require a keychain password every time an item is accessed, even if the keychain is unlocked. This level of security could be useful for bank passwords or other passwords that need extra security.
Impact:
Having to enter the keychain password for each access could become inconvenient and/or tedious for users.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Open Utilities
Select Keychain Access
Double-click keychain
Select Access Control
Check box next to ‘Ask for Keychain Password’
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.