1.8.2 Ensure GDM login banner is configured

Information

GDM is the GNOME Display Manager which handles graphical login for GNOME based systems.

Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place.

Solution

Run the following script to verify that the banner message is enabled and set:

#!/usr/bin/env bash

{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput
- Package: \"$l_pn\" exists on the system
- checking configuration"
done
if [ -n "$l_pkgoutput" ]; then

l_gdmprofile="gdm" # Set this to desired profile name IaW Local site policy
l_bmessage="'Authorized uses only. All activity may be monitored and reported'" # Set to desired banner message
if [ ! -f "/etc/dconf/profile/$l_gdmprofile" ]; then
echo "Creating profile \"$l_gdmprofile\""
echo -e "user-db:user
system-db:$l_gdmprofile
file-db:/usr/share/$l_gdmprofile/greeter-dconf-defaults" > /etc/dconf/profile/$l_gdmprofile
fi
if [ ! -d "/etc/dconf/db/$l_gdmprofile.d/" ]; then
echo "Creating dconf database directory \"/etc/dconf/db/$l_gdmprofile.d/\""
mkdir /etc/dconf/db/$l_gdmprofile.d/
fi
if ! grep -Piq '^h*banner-message-enableh*=h*trueb' /etc/dconf/db/$l_gdmprofile.d/*; then
echo "creating gdm keyfile for machine-wide settings"
if ! grep -Piq -- '^h*banner-message-enableh*=h*' /etc/dconf/db/$l_gdmprofile.d/*; then
l_kfile="/etc/dconf/db/$l_gdmprofile.d/01-banner-message"
echo -e "
[org/gnome/login-screen]
banner-message-enable=true" >> "$l_kfile"
else
l_kfile="$(grep -Pil -- '^h*banner-message-enableh*=h*' /etc/dconf/db/$l_gdmprofile.d/*)"
! grep -Pq '^h*[org/gnome/login-screen]' "$l_kfile" && sed -ri '/^s*banner-message-enable/ i[org/gnome/login-screen]' "$l_kfile"
! grep -Pq '^h*banner-message-enableh*=h*trueb' "$l_kfile" && sed -ri 's/^s*(banner-message-enables*=s*)(S+)(s*.*$)/1true 3//' "$l_kfile"
# sed -ri '/^s*[org/gnome/login-screen]/ a\nbanner-message-enable=true' "$l_kfile"
fi
fi
if ! grep -Piq "^h*banner-message-text=['\"]+S+" "$l_kfile"; then
sed -ri "/^s*banner-message-enable/ abanner-message-text=$l_bmessage" "$l_kfile"
fi
dconf update
else
echo -e "

- GNOME Desktop Manager isn't installed
- Recommendation is Not Applicable
- No remediation required
"
fi
}

Note:

-

There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode.

-

The banner message cannot be read from an external file.

OR

Run the following command to remove the gdm package:

# dnf remove gdm

See Also

https://workbench.cisecurity.org/files/4230

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-8

Plugin: Unix

Control ID: e5c77cbc53ef9f02e3b23909f335a83dcbed9a2d9430ed6cebd93de8acb7a291