stig-fix-1.8.3-el6.noarch.rpm

[lmeinecke]

Just tried this rpm on a clean 6.6 workstation install. Seems good so far.

The STIG for RHEL6 says the screen saver should be set to 15mins. From gnome.sh:

   # NIST 800-53 CCE-3315-9 (row 95): Screensaver in 15 Minutes; Forced Logout in 30 Minutes
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type string \
          --set /desktop/gnome/session/max_idle_action "forced-logout"
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /desktop/gnome/session/max_idle_time 120
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /apps/gnome-screensaver/idle_delay 15

    # NIST 800-53 CCE-14604-3 (row 96)
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type bool \
          --set /apps/gnome-screensaver/idle_activation_enabled true

    # NIST 800-53 CCE-14023-6 (row 97)
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type bool \
          --set /apps/gnome-screensaver/lock_enabled true

The screensaver is activating after 5mins. If you open System:Prefrences:Screen Saver there is a slider that is enabled. It's set to 5mins. Shouldn't this be disabled and set to 15min? What controls this?

Also the forced logout after 2hrs is painful. I was trying to find the STIG requirement driving that. Is it a NIST recommendation or a DISA STIG requirement? (http://www.stigviewer.com/stig/red_hat_enterprise_linux_6/)

Thanks Frank!

[fcaviggia]

The main driver for this is if root logs into GNOME and forgets to log out - gnome-screensaver does not protect root. I'm not sure if there is a good way to deal with this other than what I've done - one way you can probably mitigate this is disabling root from login (passwd -l root) directly and only have administrative users (those belonging to wheel group assume the role of root with sudo) - you'd probably want a minimum of 2 SAs for that. Also, if your DAO accepts the risk please adjust this to what you can agree upon.

The nice thing about bash is the flexibility and ease that it brings to modify the code.

[shawndwells]

On 2/27/15 8:46 AM, Frank Caviggia wrote:

The main driver for this is if root logs into GNOME and forgets to log
out - gnome-screensaver does not protect root. I'm not sure if there
is a good way to deal with this other than what I've done - one way
you can probably mitigate this is disabling root from login (passwd -l
root) directly and only have administrative users (those belonging to
wheel group assume the role of root with sudo) - you'd probably want a
minimum of 2 SAs for that. Also, if your DAO accepts the risk please
adjust this to what you can agree upon.

Note the STIG already prevents direct root login (of any means), so this
specific hardening is not related to an specific US Gov requirement.

[lmeinecke]

stig-fix is disabling root logins over ssh. It does not prevent root from logging into gnome at the console.

The issue I'm bringing up is that a non-privileged account is going to screen saver after 5mins not 15mins. It appears the user can also up this to 2hrs since the slider is enabled in the screen saver GUI.