{"description": "The idle time-out value for inactivity in the GNOME3 desktop is configured via the <tt>idle-delay</tt>\nsetting must be set under an appropriate configuration file(s) in the <tt>/etc/dconf/db/local.d</tt> directory\nand locked in <tt>/etc/dconf/db/local.d/locks</tt> directory to prevent user modification.\n<br /><br />\nFor example, to configure the system for a 15 minute delay, add the following to\n<tt>/etc/dconf/db/local.d/00-security-settings</tt>:\n<pre>[org/gnome/desktop/session]\nidle-delay=uint32 900</pre>", "rationale": "A session time-out lock is a temporary action taken when a user stops work and moves away from\nthe immediate physical vicinity of the information system but does not logout because of the\ntemporary nature of the absence. Rather than relying on the user to manually lock their operating\nsystem session prior to vacating the vicinity, GNOME3 can be configured to identify when\na user's session has idled and take action to initiate a session lock.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cjis": ["5.5.5"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["AC-11(a)", "CM-6(a)"], "nist-csf": ["PR.AC-7"], "pcidss": ["Req-8.1.8"], "srg": ["SRG-OS-000029-GPOS-00010", "SRG-OS-000031-GPOS-00012"], "cis": ["1.7.4", "1.7.5"], "pcidss4": ["8.2.8", "8.2"], "stigid": ["UBTU-22-271025"], "stigref": ["SV-260538r958402_rule"]}, "control_references": {"cis": ["1.7.4", "1.7.5"], "pcidss4": ["8.2.8", "8.2"], "stigid": ["UBTU-22-271025"]}, "components": [], "identifiers": {}, "ocil_clause": "idle-delay is set to 0 or a value greater than <sub idref=\"inactivity_timeout_value\" />", "ocil": "To check the current idle time-out value, run the following command:\n<pre>$ gsettings get org.gnome.desktop.session idle-delay</pre>\nIf properly configured, the output should be <tt>'uint32 <sub idref=\"inactivity_timeout_value\" />'</tt>.\nTo ensure that users cannot change the screensaver inactivity timeout setting, run the following:\n<pre>$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre>\nIf properly configured, the output should be <tt>/org/gnome/desktop/session/idle-delay</tt>", "oval_external_content": null, "fixtext": "The dconf settings can be edited in the /etc/dconf/db/* location.\n\nFirst, add or update the [org/gnome/desktop/session] section of the \"/etc/dconf/db/local.d/00-security-settings\" database file and add or update the following lines:\n\n[org/gnome/desktop/session]\nidle-delay=uint32 <sub idref=\"inactivity_timeout_value\" />\n\nThen, add the following line to \"/etc/dconf/db/local.d/locks/00-security-settings-lock\" to prevent user modification:\n\n/org/gnome/desktop/session/idle-delay\n\nFinally, update the dconf system databases:\n\n$ sudo dconf update", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must automatically lock graphical user sessions after 15 minutes of inactivity.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must automatically lock graphical user sessions after 15 minutes of inactivity.", "vuldiscussion": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock.", "checktext": "Verify Ubuntu 22.04 initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command:\n\nNote: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ sudo gsettings get org.gnome.desktop.session idle-delay\n\nuint32 900\n\nIf \"idle-delay\" is set to \"0\" or a value greater than \"900\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/00-screensaver\n\nEdit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:\n\n[org/gnome/desktop/session]\n# Set the lock time out to 900 seconds before the session is considered idle\nidle-delay=uint32 900\n\nUpdate the system databases:\n\n$ sudo dconf update"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Set GNOME3 Screensaver Inactivity Timeout", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml", "template": null}