--- - name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" when: - ubtu24cis_rule_1_7_1 - not ubtu24cis_desktop_required - ubtu24cis_disruption_high - "'gdm3' in ansible_facts.packages" tags: - level2-server - patch - rule_1.7.1 - NIST800-53R5_CM-11 - gnome ansible.builtin.package: name: gdm3 state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" when: - ubtu24cis_rule_1_7_2 - ubtu24cis_desktop_required tags: - level1-server - level1-workstation - patch - rule_1.7.2 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome notify: Update dconf block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root mode: 'u+x,go-w' state: directory - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" ansible.builtin.lineinfile: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" create: true owner: root group: root mode: 'u-x,go-wx' loop: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" when: - ubtu24cis_rule_1_7_3 - ubtu24cis_desktop_required tags: - level1-server - level1-workstation - patch - rule_1.7.3 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome notify: Update dconf block: - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" ansible.builtin.file: path: "{{ item }}" owner: root group: root mode: 'u+x,go-w' state: directory loop: - /etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d - /etc/dconf/profile - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" ansible.builtin.lineinfile: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" create: true owner: root group: root mode: 'u-x,go-wx' loop: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" ansible.builtin.lineinfile: path: "/etc/dconf/profile/{{ ubtu24cis_dconf_db_name }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" create: true owner: root group: root mode: 'u-x,go-wx' loop: - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - { regexp: '^system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', insertafter: 'user-db:user'} - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu24cis_dconf_db_name }}'} - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" when: - ubtu24cis_rule_1_7_4 - ubtu24cis_desktop_required tags: - level1-server - level1-workstation - patch - rule_1.7.4 - NIST800-53R5_NA - gnome block: - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" ansible.builtin.lineinfile: path: "/etc/dconf/profile/{{ ubtu24cis_dconf_db_name }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" create: true mode: 'u-x,go-wx' loop: - { regexp: 'user-db:user', line: 'user-db:user' } - { regexp: 'system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', after: '^user-db.*' } - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-screensaver" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" when: - ubtu24cis_rule_1_7_5 - ubtu24cis_desktop_required tags: - level1-server - level1-workstation - patch - rule_1.7.5 - NIST800-53R5_CM-11 - gnome block: - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" when: - ubtu24cis_rule_1_7_6 - ubtu24cis_desktop_required tags: - level1-server - level2-workstation - patch - rule_1.7.6 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome block: - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-automount.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-automount" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" when: - ubtu24cis_rule_1_7_7 - ubtu24cis_desktop_required tags: - level1-server - level2-workstation - patch - rule_1.7.7 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome block: - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-automount_lock.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" when: - ubtu24cis_rule_1_7_8 - ubtu24cis_desktop_required tags: - level1-server - level2-workstation - patch - rule_1.7.8 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome block: - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-autorun.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" when: - ubtu24cis_rule_1_7_9 - ubtu24cis_desktop_required tags: - level1-server - level2-workstation - patch - rule_1.7.9 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome block: - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root mode: 'u+x,go-w' state: directory notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-autorun_lock.j2 dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" when: - ubtu24cis_rule_1_7_10 tags: - level1-server - level1-workstation - patch - rule_1.7.10 - NIST800-53R5_SI-4 - gnome - xdcmp ansible.builtin.lineinfile: path: /etc/gdm3/custom.conf regexp: '^Enable.*=.*true' state: absent