OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

STIG ID: OL09-00-002106  |  SRG: SRG-OS-000031-GPOS-00012 |  Severity: medium |  CCI: CCI-000060 |  Vulnerability Id: V-271676

Vulnerability Discussion

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Check

This requirement assumes the use of the OL 9 default graphical user interface—the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify that OL 9 configures the screensaver to be blank with the following command:

$ gsettings get org.gnome.desktop.screensaver picture-uri

If properly configured, the output should be "''".

To ensure that users cannot set the screensaver background, run the following:

$ grep picture-uri /etc/dconf/db/local.d/locks/*

If properly configured, the output should be "/org/gnome/desktop/screensaver/picture-uri".

If it is not set or configured properly, this is a finding.

Fix

Configure OL 9 to conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The dconf settings can be edited in the /etc/dconf/db/* location.

Add or update the [org/gnome/desktop/screensaver] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:

[org/gnome/desktop/screensaver]
picture-uri=''

Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:

/org/gnome/desktop/screensaver/picture-uri

Update the dconf system databases:

$ sudo dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.