By default, GNOME will allow all users to have some administratrion
capability. This should be disabled so that non-administrative users are not making
configuration changes. To configure the system to disable user administration
capability in the Graphical User Interface (GUI), add or set
user-administration-disabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
After the settings have been set, run dconf update.
Rationale
Allowing all users to have some administratrive capabilities to the system through
the Graphical User Interface (GUI) when they would not have them otherwise could allow
unintended configuration changes as well as a nefarious user the capability to make system
changes such as adding new accounts, etc.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Detect if user-administration-disabled can be found on /etc/dconf/db/local.d/
find:
path: /etc/dconf/db/local.d/
contains: ^\s*user-administration-disabled
register: dconf_gnome_disable_user_admin_config_files
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Configure user-administration-disabled - default file
ini_file:
dest: /etc/dconf/db/local.d//00-security-settings
section: org/gnome/desktop/lockdown
option: user-administration-disabled
value: 'true'
create: true
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched
== 0
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Configure user-administration-disabled - existing files
ini_file:
dest: '{{ item.path }}'
section: org/gnome/desktop/lockdown
option: user-administration-disabled
value: 'true'
create: true
with_items: '{{ dconf_gnome_disable_user_admin_config_files.files }}'
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched
> 0
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Detect if lock for user-administration-disabled can be found on /etc/dconf/db/local.d/
find:
path: /etc/dconf/db/local.d/locks
contains: ^\s*user-administration-disabled
register: dconf_gnome_disable_user_admin_lock_files
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification user-administration-disabled - default file
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled$
line: /org/gnome/desktop/lockdown/user-administration-disabled
create: true
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched
== 0
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification user-administration-disabled - existing files
lineinfile:
path: '{{ item.path }}'
regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled$
line: /org/gnome/desktop/lockdown/user-administration-disabled
create: true
with_items: '{{ dconf_gnome_disable_user_admin_lock_files.files }}'
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched
> 0
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Dconf Update - user-administration-disabled
command: dconf update
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.1.5
- dconf_gnome_disable_user_admin
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}"
then
sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}"
then
printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE}
fi
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}"
then
sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}"
else
sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}"
fi
if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi