HPE Community
Operating System - HP-UX
1825775 Members
2303 Online
109687 Solutions
New Discussion

setting default lock screen saver timeout CIS security assessment

 
Vincent_5
Super Advisor

‎02-22-2018 06:27 AM

‎02-22-2018 06:27 AM

setting default lock screen saver timeout CIS security assessment

Hi Guys,

Can someone help im trying to harden my server with the script below from cis security on lock screen timeout

for file in /usr/dt/config/*/sys.resources; do dir="$(dirname "$file" | sed 's|^/usr/|/etc/|')" mkdir -p "$dir" echo 'dtsession*saverTimeout: 10' >>"$dir/sys.resources" echo 'dtsession*lockTimeout: 10' >>"$dir/sys.resources"done

After running the script . a sys.resources file is created with two line as below

dtsession*saverTimeout: 10

dtsession*lockTimeout: 10

but unfortunately the screensaver parameter still fail . Can someone help ??

 

Regards

Vincent

 

nothing is better than to know more
0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

‎02-22-2018 01:42 PM

‎02-22-2018 01:42 PM

Re: setting default lock screen saver timeout CIS security assessment

Did you check for a sys.resources file before you ran that command?

 

In my /usr/dt/config directory EACH subdirectory has its own sys.resources file and all of those sys.resources file has dtsession*lockTimeout and dtsession*saverTimeout already defined.

 

I'm not sure what the CIS script is looking for, but it may not be checking properly.

0 Kudos
Reply
Vincent_5
Super Advisor

‎02-22-2018 08:46 PM

‎02-22-2018 08:46 PM

Re: setting default lock screen saver timeout CIS security assessment

Hi,
Thanks for the support, but is there a command I can check all the sys.resources file if the two lines are there . Kindly help

Regards
Vincent

nothing is better than to know more
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-23-2018 06:35 AM

‎02-23-2018 06:35 AM

Re: setting default lock screen saver timeout CIS security assessment

Try this script.  It will search the /usr/dt/config directory and look for sys.resources files.  It will then check each file for the "dtsession*saverTimeout" and "dtsession*lockTimeout" lines.

 

for i in $(find /usr/dt/config -name sys.resources -print)
do
grep -q -e "dtsession\*saverTimeout" -e "dtsession\*lockTimeout" ${i}
if (( $? == 0 )) ; then
echo "File ${i} contains the saverTimeout and lockTimeout lines"
else
echo "File ${i} does NOT contain the saverTimeout and lockTimeout lines"
fi
done

If you want to see the lines each file contains, just remove the '-q' from the grep command.

 

0 Kudos
Reply
Vincent_5
Super Advisor

‎02-23-2018 07:03 PM

‎02-23-2018 07:03 PM

Re: setting default lock screen saver timeout CIS security assessment

Hi,
Thanks for the script , but I believe I cannot just edit the sys.resources file and save it . It don't seems to be able to read it after I do changes to that file. Btw, can I check if there is a command I can remove all the sys.resources from /etc/dt/config/*/ . The intention is to run the script to harden . Pls advice

Regards
Vincent
nothing is better than to know more
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-23-2018 07:55 PM

‎02-23-2018 07:55 PM

Re: setting default lock screen saver timeout CIS security assessment

>> but I believe I cannot just edit the sys.resources file and save it 

Why not?  They're all just text files as far as I can tell.

>>It don't seems to be able to read it after I do changes to that file

What can't read it?  What error do you get?

 

>> ...can I check if there is a command I can remove all the sys.resources from /etc/dt/config/*/ 

Well, there's always the 'rm' command.  This should remove all the sys.resources files, but if you're actually using any X-Windows, CDE, or anything then I"m not sure this will work well.

# rm /usr/dt/config/*/sys.resources

>>The intention is to run the script to harden 

OK.  

The last time I looked at the CIS script for HP-UX was 10 years ago, if not more.  At that point in time they really didn't do a good job with writing the script for HP-UX.  I recall that it didn't work well and the results it gave were not very accurate.

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.