@@ -175,78 +175,78 @@ checks:
175175 - Set "Require password after..." to 5 seconds or less
176176unix :
177177 # GNOME - Only check if GNOME Shell is running
178- - output : pgrep gnome-shell && gsettings get org.gnome.desktop.screensaver lock-enabled
178+ - output : pgrep gnome-shell >/dev/null && gsettings get org.gnome.desktop.screensaver lock-enabled
179179 includes : " false"
180180 remediation :
181181 - Enable screen lock with 'gsettings set org.gnome.desktop.screensaver lock-enabled true'
182182 # MATE - Only check if MATE session is running
183- - output : pgrep mate-session && gsettings get org.mate.screensaver lock-enabled
183+ - output : pgrep mate-session >/dev/null && gsettings get org.mate.screensaver lock-enabled
184184 includes : " false"
185185 remediation :
186186 - Enable screen lock with 'gsettings set org.mate.screensaver lock-enabled true'
187187 # XFCE - Only check if XFCE session is running
188- - output : pgrep xfce4-session && xfconf-query -c xfce4-screensaver -p /saver/enabled
188+ - output : pgrep xfce4-session >/dev/null && xfconf-query -c xfce4-screensaver -p /saver/enabled
189189 includes : " false"
190190 remediation :
191191 - Enable screensaver with 'xfconf-query -c xfce4-screensaver -p /saver/enabled -s true'
192- - output : pgrep xfce4-session && xfconf-query -c xfce4-screensaver -p /lock/enabled
192+ - output : pgrep xfce4-session >/dev/null && xfconf-query -c xfce4-screensaver -p /lock/enabled
193193 includes : " false"
194194 remediation :
195195 - Enable screen lock with 'xfconf-query -c xfce4-screensaver -p /lock/enabled -s true'
196196 # KDE Plasma - Only check if KDE session is running
197- - output : pgrep plasmashell && kreadconfig5 --file kscreenlockerrc --group Daemon --key Autolock
197+ - output : pgrep plasmashell >/dev/null && kreadconfig5 --file kscreenlockerrc --group Daemon --key Autolock
198198 includes : " false"
199199 remediation :
200200 - Enable automatic screen locking in KDE System Settings > Desktop Behavior > Screen Locking
201201 - Or run 'kwriteconfig5 --file kscreenlockerrc --group Daemon --key Autolock true'
202202 # Cinnamon - Only check if Cinnamon is running
203- - output : pgrep cinnamon && gsettings get org.cinnamon.desktop.screensaver lock-enabled
203+ - output : pgrep cinnamon >/dev/null && gsettings get org.cinnamon.desktop.screensaver lock-enabled
204204 includes : " false"
205205 remediation :
206206 - Enable Cinnamon screen lock with 'gsettings set org.cinnamon.desktop.screensaver lock-enabled true'
207207 # Budgie - Only check if Budgie is running
208- - output : pgrep budgie-panel && gsettings get org.gnome.desktop.screensaver lock-enabled
208+ - output : pgrep budgie-panel >/dev/null && gsettings get org.gnome.desktop.screensaver lock-enabled
209209 includes : " false"
210210 remediation :
211211 - Enable Budgie screen lock with 'gsettings set org.gnome.desktop.screensaver lock-enabled true'
212212 # LXQt - Only check if LXQt session is running
213- - output : pgrep lxqt-session && grep -r "lockScreenCommand" ~/.config/lxqt/
213+ - output : pgrep lxqt-session >/dev/null && grep "lockScreenCommand" ~/.config/lxqt/session.conf 2>/dev/null
214214 excludes : " lockScreenCommand"
215215 remediation :
216216 - Configure LXQt screen locking
217217 - Set lockScreenCommand in ~/.config/lxqt/session.conf
218218 - Install a screen locker like light-locker, xscreensaver, or xlock
219219 # LXDE - Only check if LXDE session is running
220- - output : pgrep lxsession && (command -v light-locker || command -v xscreensaver || command -v xlock)
220+ - output : pgrep lxsession >/dev/null && (command -v light-locker || command -v xscreensaver || command -v xlock)
221221 exitcode : 1
222222 remediation :
223223 - Install a screen locker for LXDE
224224 - " Linux/FreeBSD: Install light-locker or xscreensaver"
225225 - " OpenBSD/NetBSD: Install xlock from packages"
226226 # i3 Window Manager - Only check if i3 is running
227- - output : pgrep i3 && grep -r "i3lock\|xautolock\|xss-lock" ~/.config/i3/ ~/.i3/config
227+ - output : pgrep i3 >/dev/null && ( grep "i3lock\|xautolock\|xss-lock" ~/.config/i3/config 2>/dev/null || grep "i3lock\|xautolock\|xss-lock" ~/.i3/config 2>/dev/null)
228228 excludes : " i3lock|xautolock|xss-lock"
229229 remediation :
230230 - Install and configure screen locking for i3
231231 - " Install locker: i3lock, slock, or xlock (varies by OS)"
232232 - " Add to i3 config: 'exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock -n'"
233233 # Openbox Window Manager - Only check if openbox is running
234- - output : pgrep openbox && grep -r "xautolock\|xss-lock" ~/.config/openbox/
234+ - output : pgrep openbox >/dev/null && grep "xautolock\|xss-lock" ~/.config/openbox/autostart 2>/dev/null
235235 excludes : " xautolock|xss-lock"
236236 remediation :
237237 - Configure screen locking for Openbox
238238 - " Add to ~/.config/openbox/autostart: 'xautolock -time 15 -locker \" i3lock -c 000000\" &'"
239239 # Sway (Wayland) - Only check if sway is running
240- - output : pgrep sway && grep -r "exec swayidle" ~/.config/sway/
240+ - output : pgrep sway >/dev/null && grep "exec swayidle" ~/.config/sway/config 2>/dev/null
241241 excludes : " swayidle"
242242 remediation :
243243 - Configure swayidle to lock screen automatically
244244 - " Add to Sway config: 'exec swayidle -w timeout 900 \" swaylock -f\" before-sleep \" swaylock -f\" '"
245245 # Generic X11 fallback - Only if X11 is running but no specific DE detected
246246 - output : >
247- pgrep Xorg && ! (pgrep gnome-shell || pgrep mate-session || pgrep xfce4-session ||
248- pgrep plasmashell || pgrep cinnamon || pgrep budgie-panel || pgrep lxqt-session ||
249- pgrep lxsession || pgrep i3 || pgrep openbox || pgrep sway) && xset q
247+ pgrep Xorg >/dev/null && ! (pgrep gnome-shell >/dev/null || pgrep mate-session >/dev/null || pgrep xfce4-session >/dev/null ||
248+ pgrep plasmashell >/dev/null || pgrep cinnamon >/dev/null || pgrep budgie-panel >/dev/null || pgrep lxqt-session >/dev/null ||
249+ pgrep lxsession >/dev/null || pgrep i3 >/dev/null || pgrep openbox >/dev/null || pgrep sway >/dev/null ) && xset q
250250 includes: "timeout:.*0"
251251 remediation:
252252 - Configure X11 screen saver with 'xset s 900'
@@ -283,11 +283,11 @@ checks:
283283 - Set GNOME screensaver timeout to 15 minutes or less
284284 - Run 'gsettings set org.gnome.desktop.session idle-delay 900'
285285 # MATE - Only check timeout if MATE session is running
286- - output : pgrep mate-session && gsettings get org.mate.screensaver idle -delay
286+ - output : pgrep mate-session && gsettings get org.mate.screensaver lock -delay
287287 includes : " ^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
288288 remediation :
289289 - Set MATE screensaver timeout to 15 minutes or less
290- - Run 'gsettings set org.mate.screensaver idle -delay 15'
290+ - Run 'gsettings set org.mate.screensaver lock -delay 15'
291291 # XFCE - Only check timeout if XFCE session is running
292292 - output : pgrep xfce4-session && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep
293293 includes : " ^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
@@ -319,31 +319,31 @@ checks:
319319 - Set Budgie screensaver timeout to 15 minutes or less
320320 - Run 'gsettings set org.gnome.desktop.session idle-delay 900'
321321 # LXQt - Only check timeout if LXQt session is running
322- - output : pgrep lxqt-session && grep -r "timeBeforeIdleMs" ~/.config/lxqt/
322+ - output : pgrep lxqt-session >/dev/null && grep "timeBeforeIdleMs" ~/.config/lxqt/lxqt-config-powermanagement.conf 2>/dev/null
323323 includes : " timeBeforeIdleMs.*([9][1-9][0-9][0-9][0-9][0-9]|[1-9][0-9]{6,})"
324324 remediation :
325325 - Set LXQt idle timeout to 15 minutes (900000 ms) or less
326326 - Configure in LXQt System Settings > Power Management
327327 # LXDE - Only check timeout if LXDE session is running
328- - output : pgrep lxsession && grep -r "sleep_display_ac" ~/.config/lxsession/ / etc/xdg/lxsession/
328+ - output : pgrep lxsession >/dev/null && ( grep "sleep_display_ac" ~/.config/lxsession/LXDE/desktop.conf 2>/dev/null || grep "sleep_display_ac" / etc/xdg/lxsession/LXDE/desktop.conf 2>/dev/null)
329329 includes : " sleep_display_ac.*([1-9][6-9]|[2-9][0-9]|[1-9][0-9]{2,})"
330330 remediation :
331331 - Set LXDE display sleep to 15 minutes or less
332332 - Edit ~/.config/lxsession/LXDE/desktop.conf and set sleep_display_ac=15
333333 # Sway - Only check timeout if sway is running
334- - output : pgrep sway && grep -r "timeout" ~/.config/sway/
334+ - output : pgrep sway >/dev/null && grep "timeout" ~/.config/sway/config 2>/dev/null
335335 includes : " timeout [9][1-9][0-9][0-9]|timeout [1-9][0-9]{4,}"
336336 remediation :
337337 - Configure swayidle timeout to 15 minutes (900 seconds) or less
338338 - " Add to Sway config: 'exec swayidle -w timeout 900 \" swaylock -f\" '"
339339 # i3 Window Manager - Only check timeout if i3 is running
340- - output : pgrep i3 && grep -r "xautolock.*-time" ~/.config/i3/ ~/.i3/config
340+ - output : pgrep i3 >/dev/null && ( grep "xautolock.*-time" ~/.config/i3/config 2>/dev/null || grep "xautolock.*-time" ~/.i3/config 2>/dev/null)
341341 includes : " -time [1-9][6-9]|-time [2-9][0-9]|-time [1-9][0-9]{2,}"
342342 remediation :
343343 - Configure xautolock timeout to 15 minutes or less
344344 - " Add to i3 config: 'exec --no-startup-id xautolock -time 15 -locker \" i3lock -c 000000\" '"
345345 # Openbox - Only check timeout if openbox is running
346- - output : pgrep openbox && grep -r "xautolock.*-time" ~/.config/openbox/
346+ - output : pgrep openbox >/dev/null && grep "xautolock.*-time" ~/.config/openbox/autostart 2>/dev/null
347347 includes : " -time [1-9][6-9]|-time [2-9][0-9]|-time [1-9][0-9]{2,}"
348348 remediation :
349349 - Configure xautolock timeout to 15 minutes or less
0 commit comments