Detections
Analytics

1.7.2 Ensure GDM login banner is configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.

Solution

- IF - GDM is installed:

Run the following script to set and enable the text banner message on the login screen:

#!/usr/bin/env bash

{
 l_pkgoutput=""
 if command -v dpkg-query > /dev/null 2>&1; then
 l_pq="dpkg-query -W"
 elif command -v rpm > /dev/null 2>&1; then
 l_pq="rpm -q"
 fi
 l_pcl="gdm gdm3" # Space seporated list of packages to check
 for l_pn in $l_pcl; do
 $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput
 - Package: \"$l_pn\" exists on the system
 - checking configuration"
 done
 if [ -n "$l_pkgoutput" ]; then

 l_gdmprofile="gdm" # Set this to desired profile name IaW Local site policy
 l_bmessage="'Authorized uses only. All activity may be monitored and reported'" # Set to desired banner message
 if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
 echo "Creating profile \"$l_gdmprofile\""
 echo -e "user-db:user
system-db:$l_gdmprofile
file-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
 fi
 if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
 echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
 mkdir /etc/dconf/db/$l_gdmprofile.d/
 fi
 if ! grep -Piq '^h*banner-message-enableh*=h*trueb' /etc/dconf/db/$l_gdmprofile.d/*; then
 echo "creating gdm keyfile for machine-wide settings"
 if ! grep -Piq -- '^h*banner-message-enableh*=h*' /etc/dconf/db/$l_gdmprofile.d/*; then
 l_kfile="/etc/dconf/db/$l_gdmprofile.d/01-banner-message"
 echo -e "
[org/gnome/login-screen]
banner-message-enable=true" >> "$l_kfile"
 else
 l_kfile="$(grep -Pil -- '^h*banner-message-enableh*=h*' /etc/dconf/db/$l_gdmprofile.d/*)"
 ! grep -Pq '^h*[org/gnome/login-screen]' "$l_kfile" && sed -ri '/^s*banner-message-enable/ i[org/gnome/login-screen]' "$l_kfile"
 ! grep -Pq '^h*banner-message-enableh*=h*trueb' "$l_kfile" && sed -ri 's/^s*(banner-message-enables*=s*)(S+)(s*.*$)/1true 3//' "$l_kfile"
 # sed -ri '/^s*[org/gnome/login-screen]/ a\nbanner-message-enable=true' "$l_kfile"
 fi
 fi
 if ! grep -Piq "^h*banner-message-text=['\"]+S+" "$l_kfile"; then
 sed -ri "/^s*banner-message-enable/ abanner-message-text=$l_bmessage" "$l_kfile"
 fi
 dconf update
 else
 echo -e "

 - GNOME Desktop Manager isn't installed
 - Recommendation is Not Applicable
 - No remediation required
"
 fi
}

Notes:

 - There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode.
 - The banner message cannot be read from an external file.

See Also

https://workbench.cisecurity.org/benchmarks/17331

Item Details

Plugin: Unix

Control ID: 9fc9275d9ef2398f1f2ced3cfcb5ecc043b49a3c87c7d89ebac1921609afdf52