From 770b2ad86e5e188ea2fd415ef7a6f8e418bb315a Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 10 Nov 2016 15:56:44 -0600 Subject: [PATCH] [Docs] Set graphical session locks This patch adds documentation for: https://review.openstack.org/396410 Implements: blueprint security-rhel7-stig Change-Id: I0d87bfa9c17a9ee3732c22f5a02cf2004025c8fd --- doc/metadata/rhel7/RHEL-07-010060.rst | 15 ++++++++++++--- doc/metadata/rhel7/RHEL-07-010070.rst | 14 +++++++++++--- doc/metadata/rhel7/RHEL-07-010071.rst | 14 +++++++++++--- doc/metadata/rhel7/RHEL-07-010073.rst | 14 +++++++++++--- doc/metadata/rhel7/RHEL-07-010074.rst | 19 ++++++++++++++++--- 5 files changed, 61 insertions(+), 15 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-010060.rst b/doc/metadata/rhel7/RHEL-07-010060.rst index 1be35605..fcab7b86 100644 --- a/doc/metadata/rhel7/RHEL-07-010060.rst +++ b/doc/metadata/rhel7/RHEL-07-010060.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-010060 -status: not implemented -tag: misc +status: implemented +tag: graphical --- -This STIG requirement is not yet implemented. +The STIG requires that graphical sessions are locked when the screensaver +starts and that users must re-enter credentials to restore access to the +system. The screensaver lock is enabled by default if ``dconf`` is present on +the system. + +Deployers can opt out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_lock_session: no diff --git a/doc/metadata/rhel7/RHEL-07-010070.rst b/doc/metadata/rhel7/RHEL-07-010070.rst index a4f4a52b..6518e28c 100644 --- a/doc/metadata/rhel7/RHEL-07-010070.rst +++ b/doc/metadata/rhel7/RHEL-07-010070.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-010070 -status: not implemented -tag: misc +status: implemented +tag: graphical --- -This STIG requirement is not yet implemented. +The session inactivity timeout is set to 900 seconds to meet the STIG +requirements. After this time, users must re-enter their credentials to regain +access to the system. + +Deployers can adjust this timeout by setting an Ansible variable: + +.. code-block:: yaml + + security_lock_session_inactive_delay: 900 diff --git a/doc/metadata/rhel7/RHEL-07-010071.rst b/doc/metadata/rhel7/RHEL-07-010071.rst index a8e32c5b..40f85b5e 100644 --- a/doc/metadata/rhel7/RHEL-07-010071.rst +++ b/doc/metadata/rhel7/RHEL-07-010071.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-010071 -status: not implemented -tag: misc +status: implemented +tag: graphical --- -This STIG requirement is not yet implemented. +The STIG does not allow regular users to override the system-wide settings for +graphical session locks. These settings are locked out by default. + +Deployers can opt out of overriding user settings for session locks by setting +the following Ansible variable: + +.. code-block:: yaml + + security_lock_session_override_user: no diff --git a/doc/metadata/rhel7/RHEL-07-010073.rst b/doc/metadata/rhel7/RHEL-07-010073.rst index bb8decfb..bfbf3583 100644 --- a/doc/metadata/rhel7/RHEL-07-010073.rst +++ b/doc/metadata/rhel7/RHEL-07-010073.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-010073 -status: not implemented -tag: misc +status: implemented +tag: graphical --- -This STIG requirement is not yet implemented. +The STIG requires that the screensaver appears when a session reaches a certain +period of inactivity. The tasks will enable the screensaver for inactive +sessions by default. + +Deployers can opt out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_lock_session_when_inactive: no diff --git a/doc/metadata/rhel7/RHEL-07-010074.rst b/doc/metadata/rhel7/RHEL-07-010074.rst index 570a3a67..e79aa772 100644 --- a/doc/metadata/rhel7/RHEL-07-010074.rst +++ b/doc/metadata/rhel7/RHEL-07-010074.rst @@ -1,7 +1,20 @@ --- id: RHEL-07-010074 -status: not implemented -tag: misc +status: implemented +tag: graphical --- -This STIG requirement is not yet implemented. +The STIG requires that a graphical session is locked when the screensaver +starts. This requires a user to re-enter their credentials to regain access to +the system. + +The tasks will set a timeout of 5 seconds after the screensaver has started +before the session is locked. This gives a user a few seconds to press a key or +wiggle their mouse after the screensaver appears without needing to re-enter +their credentials. + +Deployers can adjust this timeout by setting an Ansible variable: + +.. code-block:: yaml + + security_lock_session_screensaver_lock_delay: 5