Prevent user from disabling the screen lock

An XCCDF Rule

Description

The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.

Rationale

Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

ID: xccdf_org.ssgproject.content_rule_no_tmux_in_shells
Severity: Low
References: CCI-000056 CCI-000058

CM-6

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SRG-OS-000324-GPOS-00125

OL08-00-020042

SV-248677r779597_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if grep -q 'tmux\s*$' /etc/shells ; then
	sed -i '/tmux\s*$/d' /etc/shells
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi