[CentOS] How to disable screen locking system-wide?

Thu Jan 20 11:02:38 UTC 2011
Giles Coochey <giles at coochey.net>

On 20/01/2011 11:55, Rudi Ahlers wrote:
> On Thu, Jan 20, 2011 at 12:00 PM, John Hodrien<J.H.Hodrien at leeds.ac.uk>  wrote:
>> I think I see things differently.  Allowing others to access your account *is*
>> a security risk.  It potentially opens confidential data open to other people,
>> and leaves that specific user open to abuse through people using their
>> machine.  You might as well just pin your passwords on the notice board and be
>> done.  After all, you trust all your staff.
> I don't agree with that, sorry.
> A few years ago one of our staff members decided his salary isn't good
> enough so he started a side-line business, on our company time. He
> stole some of our client's data (contact details, emails, and even
> contracts) and sold it to 3rd parties. This went on for about 6 months
> before we actually realized what was going on.
> Needless to say, he was fined heavily and sent to jail for 3 years.
> So, I don't care if you feel the PC is your's, as long as it's a
> company PC, with company data and company property, we will take a
> look at the data on it.
> I'm not talking about your home / private PC, that's an altogether
> different story.
I disagree. There are two points here.

A user account should belong to the person who has been assigned that 
account. They are the only person who should be able to use that 
account. This is critical is you are going to have an audit trail as to 
who did what and when. If someone else is able to use an account, be it 
by not locking unattended workstations or by sharing of passwords then 
the staff member who went to jail would have had a very good defence.
Now, the data that is owned by an account is a completely different 
matter, this is why computer file systems have both access control lists 
as well as owners defined for the files, as well as access and 
modification times. Any _data_ on a business system belongs to the 
business and the access control list defines who has been given the 
responsibility and permissions to access that data.

Data and Accounts are distinct, and the policies regarding their use 
should be distinct  too.

Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles at coochey.net
Skype: gilescoochey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5137 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20110120/666fcbc5/attachment-0005.p7s>