Configure GNOME3 DConf User Profile

An XCCDF Rule

Description

By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly.

To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm should be set as follows:

user-db:user
system-db:gdm

Rationale

Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks.

ID: xccdf_org.ssgproject.content_rule_enable_dconf_user_profile
Severity: High
References: 1.10

CCE-83006-7

SLES-12-010611

SV-217160r991589_rule
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83006-7
  - DISA-STIG-SLES-12-010611  - enable_dconf_user_profile
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy
- name: Configure GNOME3 DConf User Profile
  lineinfile:
    dest: /etc/dconf/profile/gdm
    line: |-
      user-db:user
      system-db:gdm
    create: true
    state: present
  when:
  - '"gdm" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83006-7
  - DISA-STIG-SLES-12-010611
  - enable_dconf_user_profile
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
echo -e 'user-db:user\nsystem-db:gdm' > /etc/dconf/profile/gdm

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure GNOME3 DConf User Profile

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script