Enable graphical login banner

This patch enables login warning banners on graphical logins. Docs will be in a follow-on patch. Implements: blueprint security-rhel7-stig Change-Id: I9aa7e2c2691b0d2c0659826037909bf43cef0505
2016-11-14 09:23:13 -06:00 · 2016-11-14 09:23:13 -06:00 · 85630fd27f
commit 85630fd27f
parent 449bc820e6
4 changed files with 47 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -446,6 +446,12 @@ security_lock_session_override_user: yes                     # RHEL-07-010071
 security_lock_session_when_inactive: yes                     # RHEL-07-010073
 # Time after screensaver starts when user login is required.
 security_lock_session_screensaver_lock_delay: 5              # RHEL-07-010074
+# Enable a login banner and set the text for the banner.
+security_enable_graphical_login_message: yes                 # RHEL-07-010030
+security_enable_graphical_login_message_text: >
+    You are accessing a secured system and your actions will be logged along
+    with identifying information. Disconnect immediately if you are not an
+    authorized user of this system.

 ## Miscellaneous (misc)
 # Enable virus scanning with clamav
--- a/files/dconf-profile-gdm
+++ b/files/dconf-profile-gdm
@ -0,0 +1,3 @@
+user-db:user
+system-db:gdm
+file-db:/usr/share/gdm/greeter-dconf-defaults
--- a/tasks/rhel7stig/graphical.yml
+++ b/tasks/rhel7stig/graphical.yml
@ -69,16 +69,19 @@

 - name: Create dconf directories
  file:
-    path: /etc/dconf/db/local.d/
+    path: "{{ item }}"
    state: directory
  with_items:
    - /etc/dconf/db/local.d/
    - /etc/dconf/db/local.d/locks
+    - /etc/dconf/db/gdm.d/
  when:
    - dconf_check.stat.exists
  tags:
    - graphical
    - medium
+    - RHEL-07-010030
+    - RHEL-07-010031
    - RHEL-07-010060
    - RHEL-07-010070
    - RHEL-07-010071
@ -118,3 +121,34 @@
    - RHEL-07-010071
    - RHEL-07-010073
    - RHEL-07-010074
+
+- name: Create a GDM profile for displaying a login banner
+  copy:
+    src: dconf-profile-gdm
+    dest: /etc/dconf/profile/gdm
+  when:
+    - dconf_check.stat.exists
+  notify:
+    - dconf update
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010030
+    - RHEL-07-010031
+
+- name: Create a GDM keyfile for machine-wide settings
+  template:
+    src: dconf-gdm-banner-message.j2
+    dest: "{{ item }}"
+  with_items:
+    - /etc/dconf/db/gdm.d/01-banner-message
+    - /etc/dconf/db/local.d/01-banner-message
+  when:
+    - dconf_check.stat.exists
+  notify:
+    - dconf update
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010030
+    - RHEL-07-010031
--- a/templates/dconf-gdm-banner-message.j2
+++ b/templates/dconf-gdm-banner-message.j2
@ -0,0 +1,3 @@
+[org/gnome/login-screen]
+banner-message-enable={{ security_enable_graphical_login_message | bool | ternary('true', 'false') }}
+banner-message-text='{{ security_enable_graphical_login_message_text | trim }}'