Detections
Analytics

1.8.1 Ensure GDM login banner is configured

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

By using the lockdown mode in dconf, you can prevent users from changing specific settings.

Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.

Without locking down the system settings, user settings take precedence over the system settings.

Solution

- Create or edit the file /etc/dconf/profile/user and add the following lines if they do not exist:

user-db:user
system-db:local

Example:

#!/usr/bin/env bash

{
 l_dir="/etc/dconf/profile/"
 [ ! -d "$l_dir" ] && mkdir /etc/dconf/profile/
 ! grep -Psq '^\h*user-db:user\b' "$l_dir/user" && \
 printf '%s\n' "" "user-db:user" >> "$l_dir/user"
 ! grep -Psq '^\h*system-db:local\b' "$l_dir/user" && \
 sed -ri '/^\s*user-db:user/a system-db:local' "$l_dir/user"
}
 - Run the following command to create the /etc/dconf/db/local.d/ and /etc/dconf/db/local.d/locks/ directories if either does not exist:

# [ ! -d "/etc/dconf/db/local.d/locks/" ] && mkdir -p /etc/dconf/db/local.d/locks/
 - Create or edit a file in /etc/dconf/db/local.d/locks/ and add the following lines to lock the login banner configuration:

/org/gnome/login-screen/banner-message-enable
/org/gnome/login-screen/banner-message-text

Example:

# printf '%s\n' "" "/org/gnome/login-screen/banner-message-enable" \
"/org/gnome/login-screen/banner-message-text" >> /etc/dconf/db/local.d/locks/60-banner-message
 - Run the following script to comment out any incorrect settings in a local system-wide database keyfile:

#!/usr/bin/env bash

{
 f_key_file_fix()
 {
 while IFS= read -r -d $'\0' l_file; do
 grep -Psiq -- "^\h*$l_parameter$l_value(\b|\h*$)" "$l_file" && \
 sed -ri '/^\s*'"$l_parameter"'/s/^/# /g' "$l_file"
 done < <(find /etc/dconf/db -mindepth 2 -maxdepth 2 -type f -print0)
 }
 l_parameter="banner-message-enable=" l_value="false"; f_key_file_fix
 l_parameter="banner-message-text=" l_value="(['\"]{2})?"; f_key_file_fix
}
 - Create or edit a local keyfile for machine-wide settings in '/etc/dconf/db/local.d/` with the following lines to set the login banner configuration:

[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='Type the banner message here.'

Example script:

#!/usr/bin/env bash

{
 l_file="/etc/dconf/db/local.d/60-banner-message"
 l_banner="'Authorized uses only. All activity may be monitored and reported'"
 a_keyfile=("[org/gnome/login-screen]" "banner-message-enable=true" \
 "banner-message-text=$l_banner")
 if grep -Psq -- '^\h*\[org\/gnome\/login-screen\]' "$l_file"; then
 ! grep -Psiq -- '^\h*banner-message-enable=true\b' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/login-screen\]/a banner-message-enable=true' "$l_file"
 ! grep -Psiq -- '^\h*banner-message-text=[^#\n\r]+' "$l_file" && \
 sed -ri '/^\s*\[org\/gnome\/login-screen\]/a banner-message-text='"$l_banner"'' "$l_file"
 else
 printf '%s\n' "" "${a_keyfile[@]}" >> "$l_file"
 fi
}
 - Run the following command to update the dconf database:

# dconf update

Note:

 - banner-message-text should be set in accordance with local site policy
 - Users must log out and back in again before the system-wide settings take effect.
 - There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode.
 - The banner message cannot be read from an external file

See Also

https://workbench.cisecurity.org/benchmarks/24008

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-8c.

Plugin: Unix

Control ID: aa4c75c8cdc04ccfcf9095b6707669c32c306657b0fa937a5bf0ef329fe9824c