[Docs] Set graphical session locks

This patch adds documentation for:

  https://review.openstack.org/396410

Implements: blueprint security-rhel7-stig
Change-Id: I0d87bfa9c17a9ee3732c22f5a02cf2004025c8fd

doc/metadata/rhel7/RHEL-07-010060.rst

@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-010060
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that graphical sessions are locked when the screensaver
+starts and that users must re-enter credentials to restore access to the
+system. The screensaver lock is enabled by default if ``dconf`` is present on
+the system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_lock_session: no

doc/metadata/rhel7/RHEL-07-010070.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010070
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+The session inactivity timeout is set to 900 seconds to meet the STIG
+requirements.  After this time, users must re-enter their credentials to regain
+access to the system.
+
+Deployers can adjust this timeout by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_lock_session_inactive_delay: 900

doc/metadata/rhel7/RHEL-07-010071.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010071
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+The STIG does not allow regular users to override the system-wide settings for
+graphical session locks. These settings are locked out by default.
+
+Deployers can opt out of overriding user settings for session locks by setting
+the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_lock_session_override_user: no

doc/metadata/rhel7/RHEL-07-010073.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010073
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that the screensaver appears when a session reaches a certain
+period of inactivity. The tasks will enable the screensaver for inactive
+sessions by default.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_lock_session_when_inactive: no

doc/metadata/rhel7/RHEL-07-010074.rst

@@ -1,7 +1,20 @@
 ---
 id: RHEL-07-010074
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that a graphical session is locked when the screensaver
+starts. This requires a user to re-enter their credentials to regain access to
+the system.
+
+The tasks will set a timeout of 5 seconds after the screensaver has started
+before the session is locked. This gives a user a few seconds to press a key or
+wiggle their mouse after the screensaver appears without needing to re-enter
+their credentials.
+
+Deployers can adjust this timeout by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_lock_session_screensaver_lock_delay: 5