RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated.

STIG ID: RHEL-10-700770  |  SRG: SRG-OS-000029-GPOS-00010 |  Severity: medium (CAT II)  |  CCI: CCI-000057,CCI-000060 |  Vulnerability Id: V-281280

Vulnerability Discussion

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.

Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012

Check

Note: This requirement assumes the use of the RHEL 10 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is not applicable.

Verify RHEL 10 initiates a session lock for graphical user interfaces when the screensaver is activated with the following command:

$ gsettings get org.gnome.desktop.screensaver lock-delay
uint32 5

If the "uint32" setting is not set to "5" or less, or is missing, this is a finding.

Fix

Configure RHEL 10 to initiate a session lock for graphical user interfaces when a screensaver is activated.

Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.

Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command:

$ sudo vi /etc/dconf/db/local.d/00-screensaver

[org/gnome/desktop/screensaver]
lock-delay=uint32 5

The "uint32" must be included along with the integer key values as shown.

Update the system databases:

$ sudo dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.