STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The system must require users to re-authenticate to unlock a graphical desktop environment.

DISA Rule

SV-216101r603268_rule

Vulnerability Number

V-216101

Group Title

SRG-OS-000028

Rule Version

SOL-11.1-040170

Severity

CAT II

CCI(s)

• CCI-000056 - The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

Weight

10

Fix Recommendation

The root role is required.

Edit the global screensaver configuration file to ensure 15 minute screen lock.

# pfedit /usr/share/X11/app-defaults/XScreenSaver

Find the timeout control lines and change them to read:

*timeout: 0:15:00
*lockTimeout: 0:00:05
*lock: True

For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values.

# pfedit $HOME/.xscreensaver

Find the timeout control lines and change them to read:

timeout: 0:15:00
lockTimeout: 0:00:05
lock: True

Check Contents

If the system is not running XWindows, this check does not apply.

Determine if the screen saver timeout is configured properly.

# grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*timeout: 0:15:00
or a shorter time interval, this is a finding.

# grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lockTimeout: 0:00:05
or a shorter time interval, this is a finding.

# grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lock: True
this is a finding.

For each existing user, check the configuring of their personal .xscreensaver file.

# grep "^timeout:" $HOME/.xscreensaver

If the output is not:
timeout: 0:15:00
or a shorter time interval, this is a finding.

# grep "^lockTimeout:" $HOME/.xscreensaver

If the output is not:
lockTimeout: 0:00:05
or a shorter time interval, this is a finding.

# grep "^lock:" $HOME/.xscreensaver

If the output is not:
lock: True
this is a finding.

Vulnerability Number

V-216101

Documentable

False

Rule Version

SOL-11.1-040170

Severity Override Guidance

If the system is not running XWindows, this check does not apply.

Determine if the screen saver timeout is configured properly.

# grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*timeout: 0:15:00
or a shorter time interval, this is a finding.

# grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lockTimeout: 0:00:05
or a shorter time interval, this is a finding.

# grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lock: True
this is a finding.

For each existing user, check the configuring of their personal .xscreensaver file.

# grep "^timeout:" $HOME/.xscreensaver

If the output is not:
timeout: 0:15:00
or a shorter time interval, this is a finding.

# grep "^lockTimeout:" $HOME/.xscreensaver

If the output is not:
lockTimeout: 0:00:05
or a shorter time interval, this is a finding.

# grep "^lock:" $HOME/.xscreensaver

If the output is not:
lock: True
this is a finding.

Check Content Reference

M

Target Key

4021

Comments