1.8.4 Ensure GDM screen locks when the user is idle - idle-delay

Information

GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.

idle-delay=uint32 {n} - Number of seconds of inactivity before the screen goes blank

lock-delay=uint32 {n} - Number of seconds after the screen is blank before locking the screen

Example key file:

# Specify the dconf path

[org/gnome/desktop/session]

# Number of seconds of inactivity before the screen goes blank

# Set to 0 seconds if you want to deactivate the screensaver.

idle-delay=uint32 900

# Specify the dconf path

[org/gnome/desktop/screensaver]

# Number of seconds after the screen is blank before locking the screen

lock-delay=uint32 5

Rationale:

Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.

Solution

Create or edit a file in the /etc/dconf/profile/ and verify it includes the following:

user-db:user
system-db:{NAME_OF_DCONF_DATABASE}

Note: local is the name of a dconf database used in the examples.
Example:

# echo -e '
user-db:user
system-db:local' >> /etc/dconf/profile/user

Create the directory /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/ if it doesn't already exist:
Example:

# mkdir /etc/dconf/db/local.d

Create the key file '/etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/{FILE_NAME} to provide information for the {NAME_OF_DCONF_DATABASE} database:
Example script:

#!/usr/bin/env bash

{
l_key_file='/etc/dconf/db/local.d/00-screensaver'
l_idmv='900' # Set max value for idle-delay in seconds (between 1 and 900)
l_ldmv='5' # Set max value for lock-delay in seconds (between 0 and 5)
{
echo '# Specify the dconf path'
echo '[org/gnome/desktop/session]'
echo ''
echo '# Number of seconds of inactivity before the screen goes blank'
echo '# Set to 0 seconds if you want to deactivate the screensaver.'
echo 'idle-delay=uint32 $l_idmv'
echo ''
echo '# Specify the dconf path'
echo '[org/gnome/desktop/screensaver]'
echo ''
echo '# Number of seconds after the screen is blank before locking the screen'
echo 'lock-delay=uint32 $l_ldmv'
} > '$l_key_file'
}

Note: You must include the uint32 along with the integer key values as shown.
Run the following command to update the system databases:

# dconf update

Note: Users must log out and back in again before the system-wide settings take effect.

See Also

https://workbench.cisecurity.org/files/4115