Check: GEN000500
HP-UX 11.31 STIG:
GEN000500
(in versions v1 r19 through v1 r14)
Title
Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and must require users to re-authenticate to unlock the environment. (Cat II impact)
Discussion
If graphical desktop sessions do not lock the session after 15 minutes of inactivity, requiring re-authentication to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight. This requirement applies to graphical desktop environments provided by the system to locally attached displays and input devices as well as to graphical desktop environments provided to remote systems, including thin clients.
Check Content
If a graphical desktop environment is not installed on the system, this is not applicable. Examine the dtsession timeout variable setting. # cat /etc/dt/config/C/sys.resources | grep -i dtsession | grep -i lockTimeout If the dtsession timeout is higher than 15, commented or does not exist, this is a finding.
Fix Text
Configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 15 minutes of inactive time, enter the following commands (ensure to NOT overwrite an existing file): # cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources # vi /etc/dt/config/C/sys.resources Locate and add/uncomment/change the line to N=15 dtsession*lockTimeout: <N> dtsession*lockTimeout: 15 Log out of CDE and log back in to verify the timeout is in effect.
Additional Identifiers
Rule ID: SV-38416r2_rule
Vulnerability ID: V-4083
Group Title: GEN000500
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000057 |
The information system initiates a session lock after the organization-defined time period of inactivity. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |