graphical - Graphical login security controls¶

Although most Linux servers only have text-based interfaces, graphical environments are required for certain applications. Security controls must be applied to these graphical environments to prevent unauthorized access.

Overview¶

The STIG requirements for graphical interfaces are focused on ensuring proper authentication for new sessions and enforcing re-authentication after idle periods.

These controls will be skipped on systems without a graphical login interface.

STIG requirements¶

All of the tasks for these STIG requirements are included in tasks/rhel7stig/graphical.yml.

V-71859¶

Summary: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The tasks in the security role configure dconf to display a login banner each time a graphical session starts on the system. The default banner message set by the role is:

You are accessing a secured system and your actions will be logged along with identifying information. Disconnect immediately if you are not an authorized user of this system.

Deployers can customize this message by setting an Ansible variable:

security_enable_graphical_login_message_text: >
    This is a customized banner message.

Warning

The dconf configuration does not support multi-line strings. Ensure that security_enable_graphical_login_message_text contains a single line of text.

In addition, deployers can opt out of displaying a login banner message by changing security_enable_graphical_login_message to no.

V-71861¶

Summary: The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The security role configures a login banner for graphical logins using dconf. Deployers can opt out of this change by setting the following Ansible variable:

security_enable_graphical_login_message: no

The message is customized by setting another Ansible variable:

security_enable_graphical_login_message_text: >
    You are accessing a secured system and your actions will be logged along
    with identifying information. Disconnect immediately if you are not an
    authorized user of this system.

Note

The space available for the graphical banner is relatively short. Deployers should limit the length of their graphical login banners to the shortest length possible.

V-71891¶

Summary: The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The STIG requires that graphical sessions are locked when the screensaver starts and that users must re-enter credentials to restore access to the system. The screensaver lock is enabled by default if dconf is present on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_lock_session: no

V-71893¶

Summary: The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The STIG requires that the screensaver appears when a session reaches a certain period of inactivity. The tasks will enable the screensaver for inactive sessions by default.

Deployers can opt out of this change by setting an Ansible variable:

security_lock_session_when_inactive: no

V-71895¶

Summary: The operating system must set the idle delay setting for all connection types.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:

The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. (V-71893)

V-71899¶

Summary: The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:

The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. (V-71893)

V-71901¶

Summary: The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The STIG requires that a graphical session is locked when the screensaver starts. This requires a user to re-enter their credentials to regain access to the system.

The tasks will set a timeout of 5 seconds after the screensaver has started before the session is locked. This gives a user a few seconds to press a key or wiggle their mouse after the screensaver appears without needing to re-enter their credentials.

Deployers can adjust this timeout by setting an Ansible variable:

security_lock_session_screensaver_lock_delay: 5

V-71953¶

Summary: The operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
Severity: High
Implementation Status: Implemented

Deployer/Auditor notes¶

If AutomaticLoginEnable=true exists in the gdm configuration file, /etc/gdm/custom.conf, the configuration will removed. This disallows automatic logins for gdm and requires a user to complete the username and password prompts.

Deployers can opt-out of this change by setting an Ansible variable:

security_disable_gdm_automatic_login: no

V-71955¶

Summary: The operating system must not allow an unrestricted logon to the system.
Severity: High
Implementation Status: Implemented

Deployer/Auditor notes¶

If TimedLoginEnable=true exists in the gdm configuration file, /etc/gdm/custom.conf, the configuration will removed. This disallows timed logins for guest users in gdm.

Deployers can opt-out of this change by setting an Ansible variable:

security_disable_gdm_timed_login: no

V-73155¶

Summary: The operating system must set the lock delay setting for all connection types.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. (V-71891)

V-73157¶

Summary: The operating system must set the session idle delay setting for all connection types.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. (V-71891)