Previous Topic: General Security FeaturesNext Topic: Choose a Protection Mode


Protection of Idle Stations

Information is extremely vulnerable when terminals are left open and active. An intruder who happens upon such a terminal (for example, during a lunch break) need not try to break passwords or have complicated equipment to sniff the network lines, since all terminals at the site are already logged in and ready for work. Although screen savers that prompt for the password before restoring the desktop are useful, the security administrator cannot make sure that all users are using secured screen savers.

CA ControlMinder provides selock, a screen‑locking utility that guards all terminals and stations by locking them whenever they are idle for a specified period of time. When the user returns to work, selock prompts for the password. If the password is not specified within one minute, the terminal remains locked. The selock utility can look up passwords even if users change their passwords while selock is active.

Note: For more information about the screen lock utility selock, see the Reference Guide.

Choose the selock options that suit your requirements:

Less security, more convenience

Set the -timeout option to a large value, such as 10 minutes, and set the -lock‑timeout option to a larger value, such as 60 minutes. This option locks your screen only when your terminal is left inactive for extended periods, and prevents selock from interrupting your work by switching to the saver mode too often.

More security, less convenience

Set the -timeout option a small value, such as 1 minute, and set -lock‑timeout option to a small value, between 0 and 2 minutes. This option hides your work every time you stop accessing your terminal, and requires a password for restoring access. To ensure that selock always requires a password to reactivate your terminal, set the -lock‑timeout to zero.

The selock command can be part of the X startup shell, so that it starts automatically every time the user logs in to the system. Run the script under the user ID, not under the root ID. The way you integrate the selock command into the startup script depends on the specific environment of the site.

Note: For more information on startup scripts, see the documentation for your UNIX system.