UCF STIG Viewer Logo

Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and must require users to re-authenticate to unlock the environment.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4083 GEN000500 SV-38416r1_rule PESL-1 Medium
Description
If graphical desktop sessions do not lock the session after 15 minutes of inactivity, requiring re-authentication to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight. This requirement applies to graphical desktop environments provided by the system to locally attached displays and input devices as well as to graphical desktop environments provided to remote systems, including thin clients.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2015-12-02

Details

Check Text ( C-36256r1_chk )
Examine the dtsession timeout variable setting.

# cat /etc/dt/config/C/sys.resources | grep -i dtsession | grep -i lockTimeout

If the dtsession timeout is higher than 15, commented or does not exist, this is a finding.
Fix Text (F-31513r1_fix)
Configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 15 minutes of inactive time, enter the following commands (ensure to NOT overwrite an existing file):

# cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources
# vi /etc/dt/config/C/sys.resources

Locate and add/uncomment/change the line to N=15
dtsession*lockTimeout:
dtsession*lockTimeout: 15

Log out of CDE and log back in to verify the timeout is in effect.