Prevent user from disabling the screen lock

An XCCDF Rule

Description

The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.

Rationale

Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

ID: xccdf_org.ssgproject.content_rule_no_tmux_in_shells
Severity: Low
References: CCI-000056 CCI-002235

CM-6

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SRG-OS-000324-GPOS-00125
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6
  - low_complexity  - low_disruption
  - low_severity
  - no_reboot_needed
  - no_tmux_in_shells
  - restrict_strategy

- name: Prevent user from disabling the screen lock - Ensure tmux line not exists
  ansible.builtin.lineinfile:
    path: /etc/shells
    regex: tmux\s*$
    state: absent
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - no_tmux_in_shells
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if grep -q 'tmux\s*$' /etc/shells ; then
	sed -i '/tmux\s*$/d' /etc/shells
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Prevent user from disabling the screen lock

Description

Rationale

Remediation - Ansible

Remediation - Shell Script