1.8.5 Ensure GDM screen locks cannot be overridden

Information

GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.

Example Lock File:

# Lock desktop screensaver settings
/org/gnome/desktop/session/idle-delay
/org/gnome/desktop/screensaver/lock-delay

Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.

Without locking down the system settings, user settings take precedence over the system settings.

Solution

Run the following script to ensure screen locks cannot be overridden:

#!/usr/bin/env bash

{
# Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable

# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space separated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "
- Package: \"$l_pn\" exists on the system
- remediating configuration if needed"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^h*idle-delayh*=h*uint32h+d+b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
# Look for lock-delay to determine profile in use, needed for remaining tests
l_kfd2="/etc/dconf/db/$(grep -Psril '^h*lock-delayh*=h*uint32h+d+b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Prilq '^h*/org/gnome/desktop/session/idle-delayb' "$l_kfd"; then
echo " - \"idle-delay\" is locked in \"$(grep -Pril '^h*/org/gnome/desktop/session/idle-delayb' "$l_kfd")\""
else
echo "creating entry to lock \"idle-delay\""
[ ! -d "$l_kfd"/locks ] && echo "creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
{
echo -e '
# Lock desktop screensaver idle-delay setting'
echo '/org/gnome/desktop/session/idle-delay'
} >> "$l_kfd"/locks/00-screensaver
fi
else
echo -e " - \"idle-delay\" is not set so it can not be locked
- Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Prilq '^h*/org/gnome/desktop/screensaver/lock-delayb' "$l_kfd2"; then
echo " - \"lock-delay\" is locked in \"$(grep -Pril '^h*/org/gnome/desktop/screensaver/lock-delayb' "$l_kfd2")\""
else
echo "creating entry to lock \"lock-delay\""
[ ! -d "$l_kfd2"/locks ] && echo "creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
{
echo -e '
# Lock desktop screensaver lock-delay setting'
echo '/org/gnome/desktop/screensaver/lock-delay'
} >> "$l_kfd2"/locks/00-screensaver
fi
else
echo -e " - \"lock-delay\" is not set so it can not be locked
- Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
fi
else
echo -e " - GNOME Desktop Manager package is not installed on the system
- Recommendation is not applicable"
fi
}

Run the following command to update the system databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/benchmarks/18209