Rule ID
SV-279529r1192546_rule
Version
V1R1
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems must be able to identify when a user's session is idle and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009
Verify Nutanix TMUX shell is enabled, which sets the user session lock for the Admin account of last resort. 1. For AOS, Prism Central, and Files, log in to the CVM as the Admin user. 2. For AHV, verify the value of "locl-after-time" is set to "890" using the following command. $ sudo grep -i "lock-after-time" /etc/tmux.conf set -g lock-after-time 890 If the Nutanix TMUX shell is not enabled or if "lock-after-time" is not configured, this is a finding.
1. For AOS, Prism Central, and Files, log in as Admin and run the following command to set the Nutanix TMUX and configure options for the Admin account of last resort. $ configure_dod_mode.sh enter_dod_mode 2. For AHV, this is set by default in the OS. The value of "lock-after-time" is set to "890" by the vendor and must not be altered by customers. If the value is not set to the default, this is an unauthorized modification which may indicate the security settings for the build has been modified. Rebuild the system from source to correct this issue.