STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.

DISA Rule

SV-204404r603261_rule

Vulnerability Number

V-204404

Group Title

SRG-OS-000029-GPOS-00010

Rule Version

RHEL-07-010110

Severity

CAT II

CCI(s)

• CCI-000057 - The information system initiates a session lock after the organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.

Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:

# touch /etc/dconf/db/local.d/00-screensaver

Add the setting to enable session locking when a screensaver is activated:

[org/gnome/desktop/screensaver]
lock-delay=uint32 5

The "uint32" must be included along with the integer key values as shown.

Update the system databases:

# dconf update

Users must log out and back in again before the system-wide settings take effect.

Check Contents

Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.

Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.

If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:

# grep -i lock-delay /etc/dconf/db/local.d/*
lock-delay=uint32 5

If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.

Vulnerability Number

V-204404

Documentable

False

Rule Version

RHEL-07-010110

Severity Override Guidance

Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated.

Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.

If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:

# grep -i lock-delay /etc/dconf/db/local.d/*
lock-delay=uint32 5

If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.

Check Content Reference

M

Target Key

2899

Comments