Although most Linux servers only have text-based interfaces, graphical environments are required for certain applications. Security controls must be applied to these graphical environments to prevent unauthorized access.
The STIG requirements for graphical interfaces are focused on ensuring proper authentication for new sessions and enforcing re-authentication after idle periods.
These controls will be skipped on systems without a graphical login interface.
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/graphical.yml
.
The tasks in the security role configure dconf
to display a login banner
each time a graphical session starts on the system. The default banner message
set by the role is:
You are accessing a secured system and your actions will be logged along with identifying information. Disconnect immediately if you are not an authorized user of this system.
Deployers can customize this message by setting an Ansible variable:
security_enable_graphical_login_message_text: >
This is a customized banner message.
Warning
The dconf configuration does not support multi-line strings. Ensure that
security_enable_graphical_login_message_text
contains a single line
of text.
In addition, deployers can opt out of displaying a login banner message by
changing security_enable_graphical_login_message
to no
.
The security role configures a login banner for graphical logins using
dconf
. Deployers can opt out of this change by setting the following
Ansible variable:
security_enable_graphical_login_message: no
The message is customized by setting another Ansible variable:
security_enable_graphical_login_message_text: >
You are accessing a secured system and your actions will be logged along
with identifying information. Disconnect immediately if you are not an
authorized user of this system.
Note
The space available for the graphical banner is relatively short. Deployers should limit the length of their graphical login banners to the shortest length possible.
The STIG requires that graphical sessions are locked when the screensaver
starts and that users must re-enter credentials to restore access to the
system. The screensaver lock is enabled by default if dconf
is present on
the system.
Deployers can opt out of this change by setting an Ansible variable:
security_lock_session: no
The STIG requires that the screensaver appears when a session reaches a certain period of inactivity. The tasks will enable the screensaver for inactive sessions by default.
Deployers can opt out of this change by setting an Ansible variable:
security_lock_session_when_inactive: no
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:
The STIG requires that a graphical session is locked when the screensaver starts. This requires a user to re-enter their credentials to regain access to the system.
The tasks will set a timeout of 5 seconds after the screensaver has started before the session is locked. This gives a user a few seconds to press a key or wiggle their mouse after the screensaver appears without needing to re-enter their credentials.
Deployers can adjust this timeout by setting an Ansible variable:
security_lock_session_screensaver_lock_delay: 5
If AutomaticLoginEnable=true
exists in the gdm configuration file,
/etc/gdm/custom.conf
, the configuration will removed. This disallows
automatic logins for gdm and requires a user to complete the username and
password prompts.
Deployers can opt-out of this change by setting an Ansible variable:
security_disable_gdm_automatic_login: no
If TimedLoginEnable=true
exists in the gdm configuration file,
/etc/gdm/custom.conf
, the configuration will removed. This disallows timed
logins for guest users in gdm.
Deployers can opt-out of this change by setting an Ansible variable:
security_disable_gdm_timed_login: no
This control is implemented by the tasks for another control:
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.