Prevent user from disabling the screen lock

An XCCDF Rule

Description

The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.

Rationale

Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

ID: xccdf_org.ssgproject.content_rule_no_tmux_in_shells
Severity: Low
References: CCI-000056 CCI-000058

CM-6

FMT_MOF_EXT.1 FMT_SMF_EXT.1 FTA_SSL.1

SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SRG-OS-000324-GPOS-00125

SV-258067r926188_rule
Updated: over 1 year ago

Remediation Templates

- name: Prevent user from disabling the screen lock - Ensure tmux line not exists
  ansible.builtin.lineinfile:
    path: /etc/shells
    regex: tmux\s*$
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - DISA-STIG-RHEL-09-412030
  - NIST-800-53-CM-6
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - no_tmux_in_shells
  - restrict_strategy

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    storage:
      files:
      - contents:
          source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A
        mode: 0644
        path: /etc/shells
        overwrite: true

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if grep -q 'tmux\s*$' /etc/shells ; then
	sed -i '/tmux\s*$/d' /etc/shells
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Prevent user from disabling the screen lock

Description

Rationale

Remediation Templates

An Ansible Snippet

A Kubernetes Patch

A Shell Script