I've been working (struggling?) to understand how to get the screensaver for root to function properly, lock the screen after so much time, etc......

Any and all help to get this to function is greatly appreciated.

R,
-Joe Wulf

First of all it would be good to know if you are using any window manager (e. g. Gnome or KDE) or if you want to simply lock the console without X.

For console, screen may do the trick. You can lock the CLI with CTRL+A+X. Also vlock can be used to lock out people from an unattended terminal. if you use the bash shell you could use the timeout to lock you out after you leave the desk for a user defined time.

For example this will you logout from bash after 5minutes inactivity:
If you run screen, this session may be resumed.

If you use Gnome, the default window manager for RHEL4, you can access the settings for the screensaver with RedHat-(Applications)-Menu->Preferences->Screensaver. Set Blank Screen and Lock Out as desired.

A note from [1]:
If you use KDE then you should run KDE Control Center->Appearance & Themes->Screensaver. There you can enable the screensaver to start automatically (e.g. 15 minutes). Also you can set a password that is required to deactivate it. You should use only blank screen. Some screensavers really use massive ressources (although at a low priority).

[1] http://www.jwz.org/xscreensaver/faq.html#root-lock

Brian,

You asked good questions and gave good insights and gave good advice. Thank you.
1. I'm using RHEL AS4 (any/all updates) and both 32 and 64 bit.
2. Gnome is the default and standard desktop GUI used here, when they initiate a GUI. The system norm is to be at runlevel 3 with 'xfs' stopped. And sudo is enabled/configured for these folks.

I'm building a general secure baseline for others to use. Generally they'll have to live with the hardening I put in place, though they can modify anything based upon need and secondary approval, supported by justification.

I heartily agree that to never (or as close as possible) log in as root is the ideal. As a practical matter, I know for a fact that there are many SysAdmins who'll LIVE at the root prompt regardless of the security measures put in place. Especially for those who'll take my baseline and play with it for days, or weeks to establish the newest version of their application, or whatever.

One of the things I've done through pam is disable all local and remote root login's, both for the text console and within the Gnome GUI. However, once a SysAdmin has logged in with their userID and switched to root, then can start 'xfs' and execute 'startx'. I'm quite aware of this as a prolific 'norm'. Yes, I know it is bad. I do not have any power to influence anyone who uses my build, other than to make it difficult to 'get' there.

Along the way I have folks to answer to as far as how secure my baseline build is. One of the things among many I know they are looking at is the screensaver for all accounts. Thus my rationalle for seeking some technical solution to lock the console via the screensaver.