AlmaLinux OS 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

STIG ID: ALMA-09-001340  |  SRG: SRG-OS-000031-GPOS-00012 |  Severity: medium |  CCI: CCI-000060 |  Vulnerability Id: V-269105

Vulnerability Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.

The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

Check

Note: This requirement assumes the use of the AlmaLinux OS 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify AlmaLinux OS 9 prevents a user from overriding settings for graphical user interfaces.

Determine which profile the system database is using with the following command:

$ grep system-db /etc/dconf/profile/user

system-db:local

Check that graphical settings are locked from nonprivileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ grep -i idle /etc/dconf/db/local.d/locks/*

/org/gnome/desktop/session/idle-delay

If the command does not return at least the example result, this is a finding.

Fix

Configure AlmaLinux OS 9 to prevent a user from overriding settings for graphical user interfaces.

Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command:

Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.

$ touch /etc/dconf/db/local.d/locks/session

Add the following setting to prevent nonprivileged users from modifying it:

/org/gnome/desktop/session/idle-delay

Update the system databases:

$ dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.