- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Detect if removal-action can be found on /etc/dconf/db/local.d/
find:
path: /etc/dconf/db/local.d/
contains: ^\s*removal-action
register: dconf_gnome_lock_screen_on_smartcard_removal_config_files
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure removal-action - default file
ini_file:
dest: /etc/dconf/db/local.d//00-security-settings
section: org/gnome/settings-daemon/peripherals/smartcard
option: removal-action
value: '''lock-screen'''
create: true
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched
== 0
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure removal-action - existing files
ini_file:
dest: '{{ item.path }}'
section: org/gnome/settings-daemon/peripherals/smartcard
option: removal-action
value: '''lock-screen'''
create: true
with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_config_files.files
}}'
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched
> 0
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Detect if lock for removal-action can be found on /etc/dconf/db/local.d/
find:
path: /etc/dconf/db/local.d/locks
contains: ^\s*removal-action
register: dconf_gnome_lock_screen_on_smartcard_removal_lock_files
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification removal-action - default file
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
create: true
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched
== 0
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification removal-action - existing files
lineinfile:
path: '{{ item.path }}'
regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
create: true
with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_lock_files.files }}'
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched
> 0
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update - removal-action
command: dconf update
when:
- '"gdm" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-271045
- DISA-STIG-RHEL-09-271050
- dconf_gnome_lock_screen_on_smartcard_removal
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
then
sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
then
printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
fi
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
then
sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
else
sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
fi
if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
then
echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi