Set GNOME3 Screensaver Inactivity Timeout
Description
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Rationale
A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user’s session has idled and take action to initiate a session lock.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
inactivity\_timeout\_value='900'
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
if grep -q "^\\s\*idle-delay\\s\*=" "${SETTINGSFILES[@]}"
then
sed -Ei "s/(^\s\*)idle-delay(\s\*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
then
printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
fi
escaped\_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity\_timeout\_value}")"
if grep -q "^\\s\*idle-delay\\s\*=" "${DCONFFILE}"
then
sed -i "s/\\s\*idle-delay\\s\*=\\s\*.\*/idle-delay=${escaped\_value}/g" "${DCONFFILE}"
else
sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped\_value}" "${DCONFFILE}"
fi
dconf update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package\_facts:
manager: auto
tags:
- CCE-86510-5
- CJIS-5.5.5
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf\_gnome\_screensaver\_idle\_delay
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy
- name: XCCDF Value inactivity\_timeout\_value # promote to variable
set\_fact:
inactivity\_timeout\_value: !!str 900
tags:
- always
- name: Set GNOME3 Screensaver Inactivity Timeout
ini\_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/session
option: idle-delay
value: uint32 {{ inactivity\_timeout\_value }}
create: true
no\_extra\_spaces: true
when:
- '"gdm" in ansible\_facts.packages'
- ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86510-5
- CJIS-5.5.5
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf\_gnome\_screensaver\_idle\_delay
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy
- name: Dconf Update
command: dconf update
when:
- '"gdm" in ansible\_facts.packages'
- ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86510-5
- CJIS-5.5.5
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2.8
- dconf\_gnome\_screensaver\_idle\_delay
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy
