1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
documentation_complete: true
title: 'Disable Ctrl-Alt-Del Reboot Activation'
description: |-
By default, <tt>SystemD</tt> will reboot the system if the <tt>Ctrl-Alt-Del</tt>
key sequence is pressed.
<br /><br />
To configure the system to ignore the <tt>Ctrl-Alt-Del</tt> key sequence from the
{{% if product != "rhcos4" %}}
command line instead of rebooting the system, do either of the following:
<pre>ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre>
or
<pre>systemctl mask ctrl-alt-del.target</pre>
<br /><br />
Do not simply delete the <tt>/usr/lib/systemd/system/ctrl-alt-del.service</tt> file,
as this file may be restored during future system updates.
{{% else %}}
command line instead of rebooting the system, create a <tt>MachineConfig</tt>
similar to the following:
<pre>
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-disable-ctrlaltdel-reboot
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: ctrl-alt-del.target
mask: true
EOF
</pre>
<p>
This will mask the <tt>ctrl-alt-del.target</tt> systemd target for all the
nodes labeled with the "master" role.
</p>
{{{ machineconfig_description_footer() | indent(4) }}}
{{% endif %}}
rationale: |-
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
severity: high
identifiers:
cce@rhcos4: CCE-82493-8
cce@rhel8: CCE-80785-9
cce@rhel9: CCE-86667-3
cce@rhel10: CCE-90035-7
cce@sle12: CCE-83018-2
cce@sle15: CCE-85625-2
cce@slmicro5: CCE-93744-1
cce@slmicro6: CCE-95054-3
references:
cis-csc: 12,13,14,15,16,18,3,5
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
cui: 3.4.5
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
isa-62443-2009: 4.3.3.7.3
isa-62443-2013: 'SR 2.1,SR 5.2'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
ospp: FAU_GEN.1.2
srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-020230
stigid@ol8: OL08-00-040170
stigid@sle12: SLES-12-010610
stigid@sle15: SLES-15-040060
{{% if pkg_system == "dpkg" %}}
platform: not container
{{% endif %}}
ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed'
ocil: |-
To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
that the ctrl-alt-del.target is masked and not active with the following
command:
<pre>sudo systemctl status ctrl-alt-del.target</pre>
The output should indicate that the target is masked and not active. It
might resemble following output:
<pre>ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)</pre>
fixtext: |-
Configure the system to disable the ctrl-alt-del.target with the following command:
$ sudo systemctl disable --now ctrl-alt-del.target
$ sudo systemctl mask --now ctrl-alt-del.target
srg_requirement: 'The x86 Ctrl-Alt-Delete key sequence must be disabled on {{{ full_name }}}.'
|
