Configure GNOME3 DConf User Profile

An XCCDF Rule

Description

By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly.

To make sure that the user profile is configured correctly, the /etc/dconf/profile/gdm should be set as follows:

user-db:user
system-db:gdm

Rationale

Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks.

ID: xccdf_org.ssgproject.content_rule_enable_dconf_user_profile
Severity: High
References: 1.10

CCE-83267-5

SLES-15-040061

SV-234989r622137_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83267-5
  - DISA-STIG-SLES-15-040061  - enable_dconf_user_profile
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

- name: Configure GNOME3 DConf User Profile
  lineinfile:
    dest: /etc/dconf/profile/gdm
    line: |-
      user-db:user
      system-db:gdm
    create: true
    state: present
  when:
  - '"gdm" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83267-5
  - DISA-STIG-SLES-15-040061
  - enable_dconf_user_profile
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

echo -e 'user-db:user\nsystem-db:gdm' > /etc/dconf/profile/gdm

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure GNOME3 DConf User Profile

Description

Rationale

Remediation - Ansible

Remediation - Shell Script