Check: SOL-11.1-040170
Solaris 11 x86 STIG:
SOL-11.1-040170
(in versions v2 r10 through v1 r10)
Title
The system must require users to re-authenticate to unlock a graphical desktop environment. (Cat II impact)
Discussion
Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.
Check Content
If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: *lock: True this is a finding. For each existing user, check the configuring of their personal .xscreensaver file. # grep "^timeout:" $HOME/.xscreensaver If the output is not: timeout: 0:15:00 or a shorter time interval, this is a finding. # grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: lockTimeout: 0:00:05 or a shorter time interval, this is a finding. # grep "^lock:" $HOME/.xscreensaver If the output is not: lock: True this is a finding.
Fix Text
The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: *timeout: 0:15:00 *lockTimeout: 0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout: 0:00:05 lock: True
Additional Identifiers
Rule ID: SV-216101r603268_rule
Vulnerability ID: V-216101
Group Title: SRG-OS-000028
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000056 |
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
Controls
Number | Title |
---|---|
AC-11 |
Session Lock |