Endpoint Administration Guide for UNIX › General Security Features › Protection of Idle Stations

Protection of Idle Stations

Information is extremely vulnerable when terminals are left open and active. An intruder who happens upon such a terminal (for example, during a lunch break) need not try to break passwords or have complicated equipment to sniff the network lines, since all terminals at the site are already logged in and ready for work. Although screen savers that prompt for the password before restoring the desktop are useful, the security administrator cannot make sure that all users are using secured screen savers.

CA Access Control provides selock, a screen‑locking utility that guards all terminals and stations by locking them whenever they are idle for more than a specified period of time. When returning to work, the user is prompted to specify the password. If the correct password is not specified within one minute, the terminal remains locked. The selock utility can find the password of users who can unlock a screen even if those users change their passwords while selock is active.

Note: For more information about the screen lock utility selock, see the Reference Guide.

You should choose to use selock options that suit your requirements:

• Less security, more convenience

  Use the -timeout option to set the timeout to a large value, such as 10 minutes, and the -lock‑timeout option to set the lock timeout to an even larger value, such as 60 minutes. This prevents selock from excessively interrupting your work by switching to the saver mode. Also, this setting locks your screen only in cases when your terminal is left inactive for extended periods.

• More security, less convenience

  Use the -timeout option to set the timeout to a small value, such as 1 minute, and -lock‑timeout option to set the lock timeout to a small value, between 0 and 2 minutes. This always hides your work soon after you stop accessing your terminal, and requires a password for restoring access. To ensure that selock always requires password‑entry to reactivate your terminal after the saver mode starts, use the -lock‑timeout option to set the lock timeout to zero.

• The selock command can be part of the X startup shell, so that it starts automatically every time the user logs in to the system. The script must be run under the user ID, not under the root ID. The way you integrate the selock command into the startup script depends on the specific environment of the site.

  Note: For more information on startup scripts, see the documentation for your UNIX system.