openstack/ansible-hardening
Code Issues Proposed changes

Enable graphical login banner

Browse Source 
This patch enables login warning banners on graphical logins. Docs
will be in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I9aa7e2c2691b0d2c0659826037909bf43cef0505
This commit is contained in:
Major Hayden 2016-11-14 09:23:13 -06:00
parent 449bc820e6
commit 85630fd27f
4 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@ -446,6 +446,12 @@ security_lock_session_override_user: yes # RHEL-07-010071
security_lock_session_when_inactive: yes # RHEL-07-010073 security_lock_session_when_inactive: yes # RHEL-07-010073
# Time after screensaver starts when user login is required. # Time after screensaver starts when user login is required.
security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074 security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074
# Enable a login banner and set the text for the banner.
security_enable_graphical_login_message: yes # RHEL-07-010030
security_enable_graphical_login_message_text: >
You are accessing a secured system and your actions will be logged along
with identifying information. Disconnect immediately if you are not an
authorized user of this system.
## Miscellaneous (misc) ## Miscellaneous (misc)
# Enable virus scanning with clamav # Enable virus scanning with clamav

3
files/dconf-profile-gdm Normal file
View File

@ -0,0 +1,3 @@
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults

36
tasks/rhel7stig/graphical.yml
View File

@ -69,16 +69,19 @@
- name: Create dconf directories - name: Create dconf directories
file: file:
path: /etc/dconf/db/local.d/ path: "{{ item }}"
state: directory state: directory
with_items: with_items:
- /etc/dconf/db/local.d/ - /etc/dconf/db/local.d/
- /etc/dconf/db/local.d/locks - /etc/dconf/db/local.d/locks
- /etc/dconf/db/gdm.d/
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
tags: tags:
- graphical - graphical
- medium - medium
- RHEL-07-010030
- RHEL-07-010031
- RHEL-07-010060 - RHEL-07-010060
- RHEL-07-010070 - RHEL-07-010070
- RHEL-07-010071 - RHEL-07-010071
@ -118,3 +121,34 @@
- RHEL-07-010071 - RHEL-07-010071
- RHEL-07-010073 - RHEL-07-010073
- RHEL-07-010074 - RHEL-07-010074
- name: Create a GDM profile for displaying a login banner
copy:
src: dconf-profile-gdm
dest: /etc/dconf/profile/gdm
when:
- dconf_check.stat.exists
notify:
- dconf update
tags:
- graphical
- medium
- RHEL-07-010030
- RHEL-07-010031
- name: Create a GDM keyfile for machine-wide settings
template:
src: dconf-gdm-banner-message.j2
dest: "{{ item }}"
with_items:
- /etc/dconf/db/gdm.d/01-banner-message
- /etc/dconf/db/local.d/01-banner-message
when:
- dconf_check.stat.exists
notify:
- dconf update
tags:
- graphical
- medium
- RHEL-07-010030
- RHEL-07-010031

3
templates/dconf-gdm-banner-message.j2 Normal file
View File

@ -0,0 +1,3 @@
[org/gnome/login-screen]
banner-message-enable={{ security_enable_graphical_login_message | bool | ternary('true', 'false') }}
banner-message-text='{{ security_enable_graphical_login_message_text | trim }}'