Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
An XCCDF Rule
Description
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding
/org/gnome/desktop/screensaver/idle-activation-enabledto
/etc/dconf/db/local.d/00-security-settings
.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run
dconf update
.
Rationale
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86819-0
- CJIS-5.5.5