Title

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and must require users to re-authenticate to unlock the environment. (Cat II impact)

Discussion

If graphical desktop sessions do not lock the session after 15 minutes of inactivity, requiring re-authentication to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight. This requirement applies to graphical desktop environments provided by the system to locally attached displays and input devices as well as to graphical desktop environments provided to remote systems, including thin clients.

Check Content

If a graphical desktop environment is not installed on the system, this is not applicable. Examine the dtsession timeout variable setting. # cat /etc/dt/config/C/sys.resources | grep -i dtsession | grep -i lockTimeout If the dtsession timeout is higher than 15, commented or does not exist, this is a finding.

Fix Text

Configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 15 minutes of inactive time, enter the following commands (ensure to NOT overwrite an existing file): # cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources # vi /etc/dt/config/C/sys.resources Locate and add/uncomment/change the line to N=15 dtsession*lockTimeout: <N> dtsession*lockTimeout: 15 Log out of CDE and log back in to verify the timeout is in effect.

Additional Identifiers

Rule ID: SV-38416r2_rule

Vulnerability ID: V-4083

Group Title: GEN000500

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.