On Tuesday, November 14, 2017 10:27:04 AM EST Trevor Vaughan wrote: > Steve, > > So, would tmux be a valid alternative? It can do the same as screen in that > respect.
I remember that we had to make screen MLS aware. No such work has been done to tmux. It was not part of the TOE and therefore not subjected to the review and bug fixing that screen got. Not saying it couldn't be...it just hasn't been through CC to verify how it works. > Also, either case is going to leave the base VT wide open and able to be > connected to fairly easily. That is a requirement. If you have a multi user system, they need to independently work and time out independently. > Would using an Exit Trap with TMOUT to spawn vlock work? What if you're sitting in vi editing a daemon config and get a long phone call? It has to be independent of bash. > That should work in all cases (well, for bash and zsh anyway). This would > also seem to be more in line with the requirement since a 'vlock -a' will > lock *all* user terminals, not just one. :-) Which I'm sure will make the other users real happy. The correct use and configuration for screen can be found in the cc-config-rhel71 package with lots of other guidance on how to meet requirements. -Steve > On Mon, Nov 13, 2017 at 3:03 PM, Steve Grubb <[email protected]> wrote: > > On Monday, November 13, 2017 1:02:00 PM EST Trevor Vaughan wrote: > > > Is there a reason that 'screen' was chosen over or 'vlock' for > > > xccdf_org.ssgproject.content_rule_package_screen_installed? > > > > Common Criteria requirements state that we need to have a self locking > > screen > > after a certain number of minutes of inactivity. Screen can do it, vlock > > can't. > > > > -Steve > > > > > 'vlock' is the more target specific and allows for locking *all* user > > > consoles by running 'vlock -a'. > > > > > > Thanks, > > > > > > Trevor _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
