From 85630fd27f7895271f84cf9ce7a75b176664da5b Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 14 Nov 2016 09:23:13 -0600 Subject: [PATCH] Enable graphical login banner This patch enables login warning banners on graphical logins. Docs will be in a follow-on patch. Implements: blueprint security-rhel7-stig Change-Id: I9aa7e2c2691b0d2c0659826037909bf43cef0505 --- defaults/main.yml | 6 +++++ files/dconf-profile-gdm | 3 +++ tasks/rhel7stig/graphical.yml | 36 ++++++++++++++++++++++++++- templates/dconf-gdm-banner-message.j2 | 3 +++ 4 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 files/dconf-profile-gdm create mode 100644 templates/dconf-gdm-banner-message.j2 diff --git a/defaults/main.yml b/defaults/main.yml index f57d7eca..1c43d233 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -446,6 +446,12 @@ security_lock_session_override_user: yes # RHEL-07-010071 security_lock_session_when_inactive: yes # RHEL-07-010073 # Time after screensaver starts when user login is required. security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074 +# Enable a login banner and set the text for the banner. +security_enable_graphical_login_message: yes # RHEL-07-010030 +security_enable_graphical_login_message_text: > + You are accessing a secured system and your actions will be logged along + with identifying information. Disconnect immediately if you are not an + authorized user of this system. ## Miscellaneous (misc) # Enable virus scanning with clamav diff --git a/files/dconf-profile-gdm b/files/dconf-profile-gdm new file mode 100644 index 00000000..817afc52 --- /dev/null +++ b/files/dconf-profile-gdm @@ -0,0 +1,3 @@ +user-db:user +system-db:gdm +file-db:/usr/share/gdm/greeter-dconf-defaults diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index b81c4cf2..1c98d224 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -69,16 +69,19 @@ - name: Create dconf directories file: - path: /etc/dconf/db/local.d/ + path: "{{ item }}" state: directory with_items: - /etc/dconf/db/local.d/ - /etc/dconf/db/local.d/locks + - /etc/dconf/db/gdm.d/ when: - dconf_check.stat.exists tags: - graphical - medium + - RHEL-07-010030 + - RHEL-07-010031 - RHEL-07-010060 - RHEL-07-010070 - RHEL-07-010071 @@ -118,3 +121,34 @@ - RHEL-07-010071 - RHEL-07-010073 - RHEL-07-010074 + +- name: Create a GDM profile for displaying a login banner + copy: + src: dconf-profile-gdm + dest: /etc/dconf/profile/gdm + when: + - dconf_check.stat.exists + notify: + - dconf update + tags: + - graphical + - medium + - RHEL-07-010030 + - RHEL-07-010031 + +- name: Create a GDM keyfile for machine-wide settings + template: + src: dconf-gdm-banner-message.j2 + dest: "{{ item }}" + with_items: + - /etc/dconf/db/gdm.d/01-banner-message + - /etc/dconf/db/local.d/01-banner-message + when: + - dconf_check.stat.exists + notify: + - dconf update + tags: + - graphical + - medium + - RHEL-07-010030 + - RHEL-07-010031 diff --git a/templates/dconf-gdm-banner-message.j2 b/templates/dconf-gdm-banner-message.j2 new file mode 100644 index 00000000..1d8854ea --- /dev/null +++ b/templates/dconf-gdm-banner-message.j2 @@ -0,0 +1,3 @@ +[org/gnome/login-screen] +banner-message-enable={{ security_enable_graphical_login_message | bool | ternary('true', 'false') }} +banner-message-text='{{ security_enable_graphical_login_message_text | trim }}'