CCI-000060

Set GNOME3 Screensaver Inactivity Timeout

Set GNOME3 Screensaver Lock Delay After Activation Period

Enable GNOME3 Screensaver Lock After Idle Period

Implement Blank Screensaver

Ensure Users Cannot Change GNOME3 Screensaver Settings

Ensure Users Cannot Change GNOME3 Session Idle Settings

Configure tmux to lock session after inactivity

Check that vlock is installed to allow session locking

Apple iOS/iPadOS 15 must be configured to not display notifications when the device is locked.

Apple iOS/iPadOS 15 must not display notifications (calendar information) when the device is locked.

The ALG providing user access control intermediary services must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.

Google Android 12 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

Google Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

The Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Microsoft Android 11 must be configured to not display the following (work profile) notifications when the device is locked: [selection:- Email notifications - Calendar appointments - Contact associated with phone call notification - Text message notification- Other application-based notifications- All notifications].

Microsoft Android 11 must be configured to not display the following (work profile) notifications when the device is locked: [selection: - Email notifications - Calendar appointments - Contact associated with phone call notification - Text message notification - Other application-based notifications - All notifications].

Nutanix AOS must disconnect a session after 15 minutes of idle time for all connection types.

If TLS optimization is used, the Riverbed Optimization System (RiOS) providing Signed SMB and/or Encrypted MAPI must ensure the integrity and confidentiality of data transmitted over the WAN.

Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: All notifications.

The Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Apple iOS/iPadOS 16 must be configured to not display notifications when the device is locked.

Apple iOS/iPadOS 16 must not display notifications (calendar information) when the device is locked.

Apple iOS/iPadOS 17 must be configured to not display notifications when the device is locked.

Apple iOS/iPadOS 17 must not display notifications (calendar information) when the device is locked.

The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The macOS system must be configured to disable hot corners.

The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The macOS system must disable hot corners.

The Ubuntu operating system must be configured for users to directly initiate a session lock for all connection types.

The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.

Google Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

Google Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

AIX CDE must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.

IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Windows Ink Workspace must be configured to disallow access above the lock.

Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.

Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.

OL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.

OL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.

OL 8 must automatically lock command line user sessions after 15 minutes of inactivity.

OL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.

OL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

OL 8 must prevent a user from overriding the session lock-enabled setting for the graphical user interface.

The SUSE operating system must be able to lock the graphical user interface (GUI).

The SUSE operating system must utilize vlock to allow for session locking.

The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.

RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.

RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.

RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).

RHEL 9 must ensure session control is automatically started at shell initialization.

RHEL 9 must automatically lock command line user sessions after 15 minutes of inactivity.

The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

Samsung Android must be configured to not display the following (Work Environment) notifications when the device is locked: all notifications.

The VMM must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

The macOS system must prevent AdminHostInfo from being available at LoginWindow.

Ubuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types.

Dragos must configure idle timeouts at 10 minutes.

Google Android 14 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

Google Android 15 must be configured to not display the following (work profile) notifications when the device is locked: [selection: a. email notifications b. calendar appointments c. contact associated with phone call notification d. text message notification e. other application-based notifications f. all notifications].

The network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

SLEM 5 must use vlock to allow for session locking.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

TOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.

Apple iOS/iPadOS 18 must be configured to not display notifications when the device is locked.

Apple iOS/iPadOS 18 must not display notifications (calendar information) when the device is locked.