search

fcaviggia / hardening-script-el6

DISA STIG/USGCB/NSA SNAC Hardening Scripts for Red Hat Enterprise Linux 6
GNU General Public License v2.0
200 stars 83 forks source link

stig-fix-1.8.3-el6.noarch.rpm #39

Open lmeinecke opened 9 years ago

lmeinecke commented 9 years ago

Just tried this rpm on a clean 6.6 workstation install. Seems good so far.

The STIG for RHEL6 says the screen saver should be set to 15mins. From gnome.sh:

   # NIST 800-53 CCE-3315-9 (row 95): Screensaver in 15 Minutes; Forced Logout in 30 Minutes
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type string \
          --set /desktop/gnome/session/max_idle_action "forced-logout"
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /desktop/gnome/session/max_idle_time 120
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /apps/gnome-screensaver/idle_delay 15

    # NIST 800-53 CCE-14604-3 (row 96)
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type bool \
          --set /apps/gnome-screensaver/idle_activation_enabled true

    # NIST 800-53 CCE-14023-6 (row 97)
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type bool \
          --set /apps/gnome-screensaver/lock_enabled true

The screensaver is activating after 5mins. If you open System:Prefrences:Screen Saver there is a slider that is enabled. It's set to 5mins. Shouldn't this be disabled and set to 15min? What controls this?

Also the forced logout after 2hrs is painful. I was trying to find the STIG requirement driving that. Is it a NIST recommendation or a DISA STIG requirement? (http://www.stigviewer.com/stig/red_hat_enterprise_linux_6/)

Thanks Frank!

fcaviggia commented 9 years ago

The main driver for this is if root logs into GNOME and forgets to log out - gnome-screensaver does not protect root. I'm not sure if there is a good way to deal with this other than what I've done - one way you can probably mitigate this is disabling root from login (passwd -l root) directly and only have administrative users (those belonging to wheel group assume the role of root with sudo) - you'd probably want a minimum of 2 SAs for that. Also, if your DAO accepts the risk please adjust this to what you can agree upon.

The nice thing about bash is the flexibility and ease that it brings to modify the code.

shawndwells commented 9 years ago

On 2/27/15 8:46 AM, Frank Caviggia wrote:

The main driver for this is if root logs into GNOME and forgets to log out - gnome-screensaver does not protect root. I'm not sure if there is a good way to deal with this other than what I've done - one way you can probably mitigate this is disabling root from login (passwd -l root) directly and only have administrative users (those belonging to wheel group assume the role of root with sudo) - you'd probably want a minimum of 2 SAs for that. Also, if your DAO accepts the risk please adjust this to what you can agree upon.

Note the STIG already prevents direct root login (of any means), so this specific hardening is not related to an specific US Gov requirement.

lmeinecke commented 9 years ago

stig-fix is disabling root logins over ssh. It does not prevent root from logging into gnome at the console.

The issue I'm bringing up is that a non-privileged account is going to screen saver after 5mins not 15mins. It appears the user can also up this to 2hrs since the slider is enabled in the screen saver GUI.