Hello,
This is in response to the stig-rhel6-server-upstream xccdf profile. For
Security Identifier CCE-26828-4 it states the following:
Set GNOME Login Inactivity Timeout
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to 15 minutes:
# gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
CCE-26828-4
To check the current idle time-out value, run the following command:
$ gconftool-2 -g /apps/gnome-screensaver/idle_delay
If properly configured, the output should be 15.
There is two parts of my question:
1. I believe that this is checking the wrong location for this setting.
Setting an idle_delay value in /apps/gnome-screensaver/idle_delay has no effect
on actually locking this setting down. In fact, the correct location should be:
/desktop/gnome/session/idle_delay and the proper way to set this would be: #
gconftool-2 --direct --config-source
xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set
/desktop/gnome/session/idle_delay 15
a. This has been tested and verified and you can also see: Red Hat bug
867945<https://bugzilla.redhat.com/show_bug.cgi?id=867945>
2. I think it is well known that environments are always different. With
that being said, in my instance, we set this value to 10, not 15, so of course
this will fail.
a. Is there a way to update this to check to ensure that this value is
either <= 15 OR maybe between 5 and 15?
Carlos Matos
NGC - ES
Linux Systems Administrator
6120 Longbow Drive
720-622-6226
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
