Set GNOME3 Screensaver Lock Delay After Activation Period

Docs > Datadog Security > OOTB Rules > Set GNOME3 Screensaver Lock Delay After Activation Period

Classification:

compliance

Framework:

Control:

Description

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-delay=uint32

After the settings have been set, run dconf update.

Rationale

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var\_screensaver\_lock\_delay=''


# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
 | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"

mkdir -p "${DBDIR}"

# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
 if grep -q "^\\s\*lock-delay\\s\*=" "${SETTINGSFILES[@]}"
 then
 
 sed -Ei "s/(^\s\*)lock-delay(\s\*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
 fi
fi


[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
then
 printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
fi

escaped\_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var\_screensaver\_lock\_delay}")"
if grep -q "^\\s\*lock-delay\\s\*=" "${DCONFFILE}"
then
 sed -i "s/\\s\*lock-delay\\s\*=\\s\*.\*/lock-delay=${escaped\_value}/g" "${DCONFFILE}"
 else
 sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped\_value}" "${DCONFFILE}"
fi

dconf update

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi