1.8.4 Ensure GDM screen locks when the user is idle

Information

GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.

- idle-delay=uint32 {n} - Number of seconds of inactivity before the screen goes blank
- lock-delay=uint32 {n} - Number of seconds after the screen is blank before locking the screen

Example key file:

# Specify the dconf path
[org/gnome/desktop/session]

# Number of seconds of inactivity before the screen goes blank
# Set to 0 seconds if you want to deactivate the screensaver.
idle-delay=uint32 900

# Specify the dconf path
[org/gnome/desktop/screensaver]

# Number of seconds after the screen is blank before locking the screen
lock-delay=uint32 5

Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.

Solution

Create or edit a file in the /etc/dconf/profile/ and verify it includes the following:

user-db:user
system-db:{NAME_OF_DCONF_DATABASE}

Note: local is the name of a dconf database used in the examples.

Example:

# echo -e '
user-db:user
system-db:local' >> /etc/dconf/profile/user

Create the directory /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/ if it doesn't already exist:

Example:

# mkdir /etc/dconf/db/local.d

Create the key file `/etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/{FILE_NAME} to provide information for the {NAME_OF_DCONF_DATABASE} database:

Example script:

#!/usr/bin/env bash

{
l_key_file="/etc/dconf/db/local.d/00-screensaver"
l_idmv="900" # Set max value for idle-delay in seconds (between 1 and 900)
l_ldmv="5" # Set max value for lock-delay in seconds (between 0 and 5)
{
echo '# Specify the dconf path'
echo '[org/gnome/desktop/session]'
echo ''
echo '# Number of seconds of inactivity before the screen goes blank'
echo '# Set to 0 seconds if you want to deactivate the screensaver.'
echo "idle-delay=uint32 $l_idmv"
echo ''
echo '# Specify the dconf path'
echo '[org/gnome/desktop/screensaver]'
echo ''
echo '# Number of seconds after the screen is blank before locking the screen'
echo "lock-delay=uint32 $l_ldmv"
} > "$l_key_file"
}

Note: You must include the uint32 along with the integer key values as shown.

Run the following command to update the system databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/13007