{"description": "To activate the locking delay of the screensaver in the GNOME3 desktop when\nthe screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 <sub idref=\"var_screensaver_lock_delay\" /></tt> in\n<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/desktop/screensaver]\nlock-delay=uint32 <sub idref=\"var_screensaver_lock_delay\" />\n</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity\nof the information system but does not want to logout because of the temporary nature of the absence.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["AC-11(a)", "CM-6(a)"], "nist-csf": ["PR.AC-7"], "pcidss": ["Req-8.1.8"], "srg": ["SRG-OS-000029-GPOS-00010", "SRG-OS-000031-GPOS-00012"], "cis": ["1.7.4", "1.7.5"], "pcidss4": ["8.2.8", "8.2"], "stigid": ["UBTU-22-271025"], "stigref": ["SV-260538r958402_rule"]}, "control_references": {"cis": ["1.7.4", "1.7.5"], "pcidss4": ["8.2.8", "8.2"], "stigid": ["UBTU-22-271025"]}, "components": [], "identifiers": {}, "ocil_clause": "the screensaver lock delay is missing, or is set to a value greater than <sub idref=\"var_screensaver_lock_delay\" />", "ocil": "To check that the screen locks immediately when activated, run the following command:\n<pre>$ gsettings get org.gnome.desktop.screensaver lock-delay</pre>\nIf properly configured, the output should be <tt>'uint32 <sub idref=\"var_screensaver_lock_delay\" />'</tt>.", "oval_external_content": null, "fixtext": "The dconf settings can be edited in the /etc/dconf/db/* location.\n\nFirst, add or update the [org/gnome/desktop/screensaver/lock-delay] section of the \"/etc/dconf/db/local.d/00-security-settings\" database file and add or update the following lines:\n\n[org/gnome/desktop/screensaver/lock-delay]\nlock-delay=<sub idref=\"var_screensaver_lock_delay\" />\n\nThen, add the following line to \"/etc/dconf/db/local.d/locks/00-security-settings-lock\" to prevent user modification:\n\n/org/gnome/desktop/screensaver/lock-delay/lock-delay\n\nFinally, update the dconf system databases:\n\n$ sudo dconf update", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must initiate a session lock for graphical user interfaces when the screensaver is activated.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must initiate a session lock for graphical user interfaces when the screensaver is activated.", "vuldiscussion": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absence.", "checktext": "Verify Ubuntu 22.04 initiates a session lock for graphical user interfaces when the screensaver is activated with the following command:\n\nNote: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ gsettings get org.gnome.desktop.screensaver lock-delay\n\nuint32 5\n\nIf the \"uint32\" setting is not set to \"5\" or less, or is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to initiate a session lock for graphical user interfaces when a screensaver is activated.\n\nCreate a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:\n\nNote: The example below is using the database \"local\" for the system, so if the system is using another database in \"/etc/dconf/profile/user\", the file should be created under the appropriate subdirectory.\n\n$ sudo touch /etc/dconf/db/local.d/00-screensaver\n\n[org/gnome/desktop/screensaver]\nlock-delay=uint32 5\n\nThe \"uint32\" must be included along with the integer key values as shown.\n\nUpdate the system databases:\n\n$ sudo dconf update"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Set GNOME3 Screensaver Lock Delay After Activation Period", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml", "template": null}