- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update
.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user’s session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}"
fi
if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80544-0
- DISA-STIG-RHEL-07-010082
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf_gnome_session_idle_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME Session idle-delay
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/session/idle-delay$
line: /org/gnome/desktop/session/idle-delay
create: true
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80544-0
- DISA-STIG-RHEL-07-010082
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf_gnome_session_idle_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
command: dconf update
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80544-0
- DISA-STIG-RHEL-07-010082
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf_gnome_session_idle_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy