RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

STIG ID: RHEL-09-271085  |  SRG: SRG-OS-000031-GPOS-00012 | Severity: medium |  CCI: CCI-000060

Vulnerability Discussion

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Check

To ensure the screensaver is configured to be blank, run the following command:

Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

$ gsettings get org.gnome.desktop.screensaver picture-uri

If properly configured, the output should be "''".

To ensure that users cannot set the screensaver background, run the following:

$ grep picture-uri /etc/dconf/db/local.d/locks/*

If properly configured, the output should be "/org/gnome/desktop/screensaver/picture-uri".

If it is not set or configured properly, this is a finding.

Fix

The dconf settings can be edited in the /etc/dconf/db/* location.

First, add or update the [org/gnome/desktop/screensaver] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:

[org/gnome/desktop/screensaver]
picture-uri=''

Then, add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:

/org/gnome/desktop/screensaver/picture-uri

Finally, update the dconf system databases:

$ sudo dconf update
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.