5.11 Disable ability to login to another user's active and locked session

Information

Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Solution

Perform the following to implement the prescribed state:
sudo vi /etc/pam.d/screensaver
Locate 'account required pam_group.so no_warn group=admin,wheel fail_safe'
Remove 'admin,'
Save

See Also

https://workbench.cisecurity.org/files/301

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-10

Plugin: Unix

Control ID: 6098d9eaecc294aa7905fab684d887f262b3eb4f09505d1f386f73d6c01a422c