An error occurred:

Check: SLES-12-010611

SLES 12 STIG: SLES-12-010611 (in versions v3 r2 through v2 r3)

Title

The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. (Cat I impact)

Discussion

A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Check Content

Note: If a graphical user interface is not installed, this requirement is Not Applicable. Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed in the graphical user interface. Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete sequence in the graphical user interface with the following command: Check the default logout key sequence: > sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout '' Check that the value is not writable and cannot be changed by the user: > sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout false If the logout value is not [''] and the writable status is not false, this is a finding.

Fix Text

Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. Create a database to contain the system-wide setting (if it does not already exist) with the following steps: 1. Create a user profile and with the listed content: /etc/dconf/profile/user user-db:user system-db:local 2. Create the following directories: > sudo mkdir -p /etc/dconf/db/local.d/ > sudo mkdir -p /etc/dconf/db/local.d/locks/ 3. Add the following files with the listed content: /etc/dconf/db/local.d/01-fips-settings [org/gnome/settings-daemon/plugins/media-keys] logout='' /etc/dconf/db/local.d/locks/01-fips-locks /org/gnome/settings-daemon/plugins/media-keys/logout 4. Update the dconf database: > sudo dconf update

Additional Identifiers

Rule ID: SV-217160r991589_rule

Vulnerability ID: V-217160

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings