Detections
Analytics
RHEL-10-700780 - RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
Information
A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. Therefore, users should not be allowed to change session settings.Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012
Solution
Configure RHEL 10 to prevent a user from overriding settings for graphical user interfaces.Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
Update the "/etc/dconf/db/local.d/locks/session" file to prevent nonprivileged users from modifying the lock-delay setting:
$ sudo vi /etc/dconf/db/local.d/locks/session
/org/gnome/desktop/screensaver/lock-delay
Run the following command to update the database:
$ sudo dconf update
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: ACCESS CONTROL
References: 800-53|AC-11(1), 800-53|AC-11a., CAT|II, CCI|CCI-000057, CCI|CCI-000060, Rule-ID|SV-281281r1166795_rule, STIG-ID|RHEL-10-700780, Vuln-ID|V-281281
Plugin: Unix
Control ID: 7c0129a97ef3a1ccf46e04464ab96f7d4ec232bd09d1e61aaa20cbcacc1c194d