STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.

DISA Rule

SV-204396r603261_rule

Vulnerability Number

V-204396

Group Title

SRG-OS-000028-GPOS-00009

Rule Version

RHEL-07-010060

Severity

CAT II

CCI(s)

• CCI-000056 - The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

Weight

10

Fix Recommendation

Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.

Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:

# touch /etc/dconf/db/local.d/00-screensaver

Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines:

# Set this to true to lock the screen when the screensaver activates
lock-enabled=true

Update the system databases:

# dconf update

Users must log out and back in again before the system-wide settings take effect.

Check Contents

Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.

Note: If the system does not have GNOME installed, this requirement is Not Applicable.

Check to see if the screen lock is enabled with the following command:

# grep -i lock-enabled /etc/dconf/db/local.d/*
lock-enabled=true

If the "lock-enabled" setting is missing or is not set to "true", this is a finding.

Vulnerability Number

V-204396

Documentable

False

Rule Version

RHEL-07-010060

Severity Override Guidance

Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.

Note: If the system does not have GNOME installed, this requirement is Not Applicable.

Check to see if the screen lock is enabled with the following command:

# grep -i lock-enabled /etc/dconf/db/local.d/*
lock-enabled=true

If the "lock-enabled" setting is missing or is not set to "true", this is a finding.

Check Content Reference

M

Target Key

2899

Comments