OL 8 must enable a user session lock until that user reestablishes access using established identification and authentication procedures for graphical user sessions.

STIG ID: OL08-00-020030  |  SRG: SRG-OS-000028-GPOS-00009 |  Severity: medium |  CCI: CCI-000056,CCI-000058 |  Vulnerability Id: V-248671 | 

Vulnerability Discussion

To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".

Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011

Check

Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify the operating system enables a user's session lock until that user reestablishes access using established identification and authentication procedures with the following command:

$ sudo gsettings get org.gnome.desktop.screensaver lock-enabled

true

If the setting is "false", this is a finding.

Fix

Configure OL 8 to enable a user's session lock until that user reestablishes access using established identification and authentication procedures.

Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:

$ sudo vi /etc/dconf/db/local.d/00-screensaver

Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines:

# Set this to true to lock the screen when the screensaver activates
lock-enabled=true

Update the system databases:

$ sudo dconf update