Screensaver/lock & DISA STIGs

holmez · 2015-11-12 22:01:35

Hi everyone,

I've been trying to implement the appropriate screensaver/lock settings per DISA STIGs for 30+ systems. They all have CentOS 6.7, Xfce 4.8 on KDM and are not connected to the Internet. We're trying to use xautolock and xlock (not gnome or xscreensaver). If you're not familiar with the STIGs, they require that the Xsession auto-lock after x minutes of inactivity. So far, I've tried using /etc/X11/xdm/Xsession and /etc/X11/xdm/Xsetup_0 config files to create background xautolock processes and it's not ideal. I've also tried using xfce-settings-editor with little luck. Does anyone have a foolproof method? It can't be capable of being bypassed by the user. xlockmore and xautolock rpms are already installed and /usr/bin/xflock4 has been modified to call xlock and not gnome or xscreensaver when CTL-ALT-DEL is pressed.

Thanks,

John

ToZ · 2015-11-13 00:30:01

Out of curiosity, why is the setup you have (xautolock+xlock) not ideal? What is not working properly or to your satisfaction?

holmez · 2015-11-13 15:27:58

Thanks for the response. Actually, we prefer xlock and xautolock due to some NVIDIA issues we're having with some of xcreensavers. The main concerns are:

1. I need to centrally manage via spacewalk and distribute the config files to enable auto screen lock on all systems. Since it's a security requirement, we can't rely on the non-privileged user to enable/disable this functionality. What is the simplest way to implement a centrally managed solution?

2. If it runs as any user other than the session owner, they can't break the screen lock with their password e.g. if it is running as root or nobody. If it is run as the session owner, it can be killed. This is a security problem.

We previously used KDE3.x which had a nice kiosk mode to configure these items and that was removed in KDE4.

holmez · 2015-11-13 19:41:25

Ok. I've worked with this some today. I added properties to my xfce4-session.xml for screensaver xlock and enabled true. I run the xfconf commands in /etc/xdg/xfce4/xinitrc manually and it outputs xlock and true as desired. I modded xscreensaver and gnome parameters in /etc/xdg/xfce4/xinitrc to invoke my xautolock string. After restarting my X session, I see my xautolock process. Now, I need to add it to the top level xfce-session.xml and lock with the kiosk properties. I'm still concerned that a user can defeat this by killing the process as they are the owner. Any suggestions?

ToZ · 2015-11-13 20:17:17

holmez wrote:

I'm still concerned that a user can defeat this by killing the process as they are the owner. Any suggestions?

How about home-brewing a script that runs as root and periodically checks each active user account to ensure that the screensaver is running and properly configured. If not, it corrects it.

Xfce Forum

Sub domains

#1 2015-11-12 22:01:35

Screensaver/lock & DISA STIGs

#2 2015-11-13 00:30:01

Re: Screensaver/lock & DISA STIGs

#3 2015-11-13 15:27:58

Re: Screensaver/lock & DISA STIGs

#4 2015-11-13 19:41:25

Re: Screensaver/lock & DISA STIGs

#5 2015-11-13 20:17:17

Re: Screensaver/lock & DISA STIGs

Board footer