diff --git a/defaults/main.yml b/defaults/main.yml index 71d6d626..cd027052 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -436,6 +436,16 @@ security_reset_perm_ownership: yes # RHEL-07-010010 security_disable_gdm_automatic_login: yes # RHEL-07-010430 # Disable timed gdm logins for guests security_disable_gdm_timed_login: yes # RHEL-07-010431 +# Enable session locking for graphical logins. +security_lock_session: no # RHEL-07-010060 +# Set a timer (in seconds) when an inactive session is locked. +security_lock_session_inactive_delay: 900 # RHEL-07-010070 +# Prevent users from modifying session lock settings. +security_lock_session_override_user: yes # RHEL-07-010071 +# Lock a session (start screensaver) when a session is inactive. +security_lock_session_when_inactive: yes # RHEL-07-010073 +# Time after screensaver starts when user login is required. +security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074 ## Packages (packages) # Remove packages from the system as required by the STIG. Set any of these diff --git a/files/dconf-user-profile b/files/dconf-user-profile new file mode 100644 index 00000000..aca0641f --- /dev/null +++ b/files/dconf-user-profile @@ -0,0 +1,2 @@ +user-db:user +system-db:local diff --git a/handlers/main.yml b/handlers/main.yml index 52f17b87..dabb2e0b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -78,3 +78,6 @@ file: path: "{{ grub_conf_file }}" mode: 0644 + +- name: dconf update + command: dconf update diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index 1c251256..b81c4cf2 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -44,3 +44,77 @@ - graphical - high - RHEL-07-010431 + +- name: Check for dconf profiles + stat: + path: /etc/dconf/profile + register: dconf_check + tags: + - always + +- name: Create a user profile in dconf + copy: + src: dconf-user-profile + dest: /etc/dconf/profile/user + when: + - dconf_check.stat.exists + tags: + - graphical + - medium + - RHEL-07-010060 + - RHEL-07-010070 + - RHEL-07-010071 + - RHEL-07-010073 + - RHEL-07-010074 + +- name: Create dconf directories + file: + path: /etc/dconf/db/local.d/ + state: directory + with_items: + - /etc/dconf/db/local.d/ + - /etc/dconf/db/local.d/locks + when: + - dconf_check.stat.exists + tags: + - graphical + - medium + - RHEL-07-010060 + - RHEL-07-010070 + - RHEL-07-010071 + - RHEL-07-010073 + - RHEL-07-010074 + +- name: Configure graphical session locking + template: + src: dconf-screensaver-lock.j2 + dest: /etc/dconf/db/local.d/00-screensaver + when: + - dconf_check.stat.exists + notify: + - dconf update + tags: + - graphical + - medium + - RHEL-07-010060 + - RHEL-07-010070 + - RHEL-07-010071 + - RHEL-07-010073 + - RHEL-07-010074 + +- name: Prevent users from changing graphical session locking configurations + template: + src: dconf-session-user-config-lockout.j2 + dest: /etc/dconf/db/local.d/locks/session + when: + - dconf_check.stat.exists + notify: + - dconf update + tags: + - graphical + - medium + - RHEL-07-010060 + - RHEL-07-010070 + - RHEL-07-010071 + - RHEL-07-010073 + - RHEL-07-010074 diff --git a/templates/dconf-screensaver-lock.j2 b/templates/dconf-screensaver-lock.j2 new file mode 100644 index 00000000..3d1709b6 --- /dev/null +++ b/templates/dconf-screensaver-lock.j2 @@ -0,0 +1,24 @@ +{% if security_lock_session | bool %} +[org/gnome/desktop/session] +# RHEL-07-010070 - The operating system must initiate a screensaver after a +# 15-minute period of inactivity for graphical user +# interfaces. +idle-delay={{ security_lock_session_inactive_delay }} + +[org/gnome/desktop/screensaver] +# RHEL-07-010060 - The operating system must enable a user session lock until +# that user re-establishes access using established +# identification and authentication procedures. +lock-enabled=true + +# RHEL-07-010074 - The operating system must initiate a session lock for +# graphical user interfaces when the screensaver is activated. +lock-delay={{ security_lock_session_screensaver_lock_delay }} + +{% if security_lock_session_when_inactive | bool %} +# RHEL-07-010073 - The operating system must initiate a session lock for the +# screensaver after a period of inactivity for graphical user +# interfaces. +idle-activation-enabled=true +{% endif %} +{% endif %} diff --git a/templates/dconf-session-user-config-lockout.j2 b/templates/dconf-session-user-config-lockout.j2 new file mode 100644 index 00000000..1130cfc2 --- /dev/null +++ b/templates/dconf-session-user-config-lockout.j2 @@ -0,0 +1,8 @@ +{% if security_lock_session | bool and security_lock_session_override_user | bool %} +/org/gnome/desktop/session/idle-delay +/org/gnome/desktop/screensaver/lock-enabled +/org/gnome/desktop/screensaver/lock-delay +{% if security_lock_session_when_inactive | bool %} +/org/gnome/desktop/screensaver/idle-activation-enabled +{% endif %} +{% endif %} diff --git a/tests/test.yml b/tests/test.yml index b279f005..0c57fd71 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -27,6 +27,12 @@ state: touch when: ansible_os_family == 'RedHat' changed_when: False + - name: Install dconf package to test graphical session locks + package: + name: dconf + state: installed + when: ansible_os_family == 'RedHat' + changed_when: False post_tasks: - name: Stat 20auto-upgrades file stat: