Skip to content

1.7.5 Ensure GDM screen locks cannot be overridden

Audit#

Run the following script to verify that the screen lock cannot be overridden:

#!/usr/bin/env bash
{
a_output=() a_output2=()
f_check_setting()
{
grep -Psrilq -- "^\h*$2\b" /etc/dconf/db/local.d/locks/* && \
echo "- \"$3\" is locked" || echo "- \"$3\" is not locked or not set"
}
declare -A settings=(
["idle-delay"]="/org/gnome/desktop/session/idle-delay"
["lock-delay"]="/org/gnome/desktop/screensaver/lock-delay"
)
for setting in "${!settings[@]}"; do
result=$(f_check_setting "$setting" "${settings[$setting]}" "$setting")
if [[ $result == *"is not locked"* || $result == *"not set to false"* ]]; then
a_output2+=("$result")
else
a_output+=("$result")
fi
done
printf '%s\n' "" "- Audit Result:"
if [ "${#a_output2[@]}" -gt 0 ]; then
printf '%s\n' " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}"
else
printf '%s\n' " ** PASS **" "${a_output[@]}"
fi
}

Remediation#

  1. To prevent the user from overriding these settings, create the file /etc/dconf/db/local.d/locks/00-screensaver with the following content:

    # Lock desktop screensaver settings
    /org/gnome/desktop/session/idle-delay
    /org/gnome/desktop/screensaver/lock-delay
    

  2. Update the system databases:

    # dconf update
    

Note: - A user profile must exist in order to apply locks. - Users must log out and back in again before the system-wide settings take effect.