Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216337	SOL-11.1-040180	SV-216337r958402_rule		Medium

Description
Allowing access to a graphical environment when the user is not attending the system can allow unauthorized users access to the system.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-17573r371099_chk )
If the system is not running XWindows, this check does not apply. Determine if the screen saver timeout is configured properly. # grep "^\timeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: timeout: 0:15:00 this is a finding. # grep "^\lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: lockTimeout: 0:00:05 this is a finding. # grep "^\lock:" /usr/share/X11/app-defaults/XScreenSaver If the output is not: lock: True this is a finding. For each existing user, check the configuration of their personal .xscreensaver file. # grep "^lock:" $HOME/.xscreensaver If the output is not: lock: True this is a finding. grep "^lockTimeout:" $HOME/.xscreensaver If the output is not: lockTimeout: 0:00:05 this is a finding.

Check Text ( C-17573r371099_chk )

If the system is not running XWindows, this check does not apply.

Determine if the screen saver timeout is configured properly.

# grep "^\*timeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*timeout: 0:15:00
this is a finding.

# grep "^\*lockTimeout:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lockTimeout: 0:00:05
this is a finding.

# grep "^\*lock:" /usr/share/X11/app-defaults/XScreenSaver

If the output is not:
*lock: True
this is a finding.

For each existing user, check the configuration of their personal .xscreensaver file.
# grep "^lock:" $HOME/.xscreensaver

If the output is not:
*lock: True
this is a finding.

grep "^lockTimeout:" $HOME/.xscreensaver
If the output is not:
*lockTimeout: 0:00:05
this is a finding.

Fix Text (F-17571r371100_fix)
The root role is required. Edit the global screensaver configuration file to ensure 15 minute screen lock. # pfedit /usr/share/X11/app-defaults/XScreenSaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 *lock: True For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values. # pfedit $HOME/.xscreensaver Find the timeout control lines and change them to read: timeout: 0:15:00 lockTimeout:0:00:05 lock: True

Fix Text (F-17571r371100_fix)

The root role is required.

Edit the global screensaver configuration file to ensure 15 minute screen lock.

# pfedit /usr/share/X11/app-defaults/XScreenSaver

Find the timeout control lines and change them to read:

*timeout: 0:15:00
*lockTimeout:0:00:05
*lock: True

For each user on the system, edit their local $HOME/.xscreensaver file and change the timeout values.

# pfedit $HOME/.xscreensaver

Find the timeout control lines and change them to read:

timeout: 0:15:00
lockTimeout:0:00:05
lock: True