Title

The ability for administrative accounts to unlock screen saver must be disabled. (Cat II impact)

Discussion

The default setting creates a possible point of attack, because the more users in the admin group the more dependent on those users to protect their user names and passwords. By changing the rule in “system.login.screensaver” to “authenticatesession-owner”, users of the admin group cannot unlock the screen saver.

Check Content

Open a terminal session and enter the following command. more /etc/authorization Ensure the "system.login.screensaver" key includes the value "authenticate-session-owner". If not, this is a finding.

Fix Text

Open a terminal session and edit the following file. /etc/authorization Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key. Save the file.

Additional Identifiers

Rule ID: SV-37214r1_rule

Vulnerability ID: V-25280

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.