{"description": "The <tt>tmux</tt> terminal multiplexer is used to implement\nautomatic session locking. It should not be listed in\n<tt>/etc/shells</tt>.", "rationale": "Not listing <tt>tmux</tt> among permitted shells\nprevents malicious program running as user\nfrom lowering security by disabling the screen lock.", "severity": "low", "references": {"nist": ["CM-6"], "ospp": ["FMT_SMF_EXT.1", "FMT_MOF_EXT.1", "FTA_SSL.1"], "srg": ["SRG-OS-000324-GPOS-00125", "SRG-OS-000028-GPOS-00009", "SRG-OS-000030-GPOS-00011"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "tmux is listed in /etc/shells", "ocil": "To verify that tmux is not listed as allowed shell on the system\nrun the following command:\n<pre>$ grep 'tmux$' /etc/shells</pre>\nThe output should be empty.", "oval_external_content": null, "fixtext": "Edit the file \"/etc/shells\" and remove any line that ends in \"tmux\".", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prevent users from disabling session control mechanisms.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent users from disabling session control mechanisms.", "vuldiscussion": "The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Ubuntu 22.04 must provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.", "checktext": "Verify Ubuntu 22.04 prevents users from disabling the tmux terminal multiplexer with the following command:\n\n$ grep -i tmux /etc/shells\n\nIf any output is produced, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to prevent users from disabling the tmux terminal multiplexer by editing the \"/etc/shells\" configuration file to remove any instances of tmux."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Prevent user from disabling the screen lock", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml", "template": null}