GEN000500 - Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment - user lock

Information

If graphical desktop sessions do not lock the session after 15 minutes of inactivity, requiring re-authentication to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight. This requirement applies to graphical desktop environments provided by the system to locally attached displays and input devices as well as to graphical desktop environments provided to remote systems, including thin clients.

Solution

Configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 15 minutes of inactive time, enter the following commands (be sure NOT to overwrite an existing file).
#
cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources
# vi /etc/dt/config/C/sys.resources

Locate and add/uncomment/change the line to N=15.
dtsession*lockTimeout: <N>
dtsession*lockTimeout: 15

Log out of CDE and log back in to verify that the timeout is in effect.

The timeout parameter in /usr/openwin/lib/app-defaults/XScreenSaver and all users' .xscreensaver files should also be confirmed to be uncommented and set to 0:15:00.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_10_x86_V2R4_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11a., CAT|II, CCI|CCI-000057, Rule-ID|SV-220076r603266_rule, STIG-ID|GEN000500, STIG-Legacy|SV-39814, STIG-Legacy|V-4083, Vuln-ID|V-220076

Plugin: Unix

Control ID: e5e3521c3784fc37b178ce26469c71649c25f568d3a2f8b9f60f291034936ae1