AlmaLinux OS 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

STIG ID: ALMA-09-001230  |  SRG: SRG-OS-000031-GPOS-00012 |  Severity: medium |  CCI: CCI-000060 |  Vulnerability Id: V-269104

Vulnerability Discussion

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Check

Note: This requirement assumes the use of the AlmaLinux OS 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

To ensure the screensaver is configured to be blank, run the following command:

$ gsettings get org.gnome.desktop.screensaver picture-uri

If properly configured, the output should be "''".

To ensure that users cannot set the screensaver background, run the following:

$ grep picture-uri /etc/dconf/db/local.d/locks/*

If properly configured, the output should be "/org/gnome/desktop/screensaver/picture-uri".

If it is not set or configured properly, this is a finding.

Fix

Configure AlmaLinux OS 9 to prevent a user from overriding the picture-uri setting for graphical user interfaces.

First, in the file "/etc/dconf/db/local.d/00-security-settings" add or update the following lines:

[org/gnome/desktop/screensaver]
picture-uri=''

Then, prevent user modification by adding the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock":

/org/gnome/desktop/screensaver/picture-uri

Update the dconf system databases:

$ dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.