Skip to content

1.7.4 Ensure GDM screen locks when the user is idle

Audit#

Run the following script to verify that the screen locks when the user is idle: 

# gsettings get org.gnome.desktop.screensaver lock-delay
uint32 5

# gsettings get org.gnome.desktop.session idle-delay
uint32 900

Note: - lock-delay=uint32 {n} - should be 5 seconds or less and follow local site policy - idle-delay=uint32 {n} - should be 900 seconds (15 minutes) or less, not 0 (disabled) and follow local site policy

Remediation#

- IF - A user profile is already created run the following commands to enable screen locks when the user is idle: 

# gsettings set org.gnome.desktop.screensaver lock-delay 5
# gsettings set org.gnome.desktop.session idle-delay 900
Note: - gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned. - The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess. - If the dconf database is not updating correctly due to umask requirements contain in the benchmark, then use (umask 0022 && gsetting set) commands from above to temporarily set umask ensuring that any files or directories created by gsettings will have the required permissions.

- OR/IF - A user profile does not exist: 1. Create or edit the user profile in the /etc/dconf/profile/gdm with the following lines: 

user-db:user
system-db:{NAME_OF_DCONF_DATABASE}
Note: local is the name of a dconf database used in the examples.

  1. Create the directory /etc/dconf/db/local.d/ if it doesn't already exist:

  2. Create the key file /etc/dconf/db/local.d/00-screensaver to provide information for the local database:

Example key file: 

# Specify the dconf path
[org/gnome/desktop/session]

# Number of seconds of inactivity before the screen goes blank
# Set to 0 seconds if you want to deactivate the screensaver.
idle-delay=uint32 180

# Specify the dconf path
[org/gnome/desktop/screensaver]

# Number of seconds after the screen is blank before locking the screen
lock-delay=uint32 0

Note: You must include the uint32 along with the integer key values as shown.

  1. Run the following command to update the system databases: 

    # dconf update

  2. Users must log out and back in again before the system-wide settings take effect.