Skip to content

Commit

Permalink
improve logic thanks to #4
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
uk-bolly committed Apr 18, 2024
1 parent c5e8b51 commit 00b5c09
Showing 1 changed file with 43 additions and 23 deletions.
66 changes: 43 additions & 23 deletions tasks/Cat2/RHEL-09-27xxxx.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,11 @@
notify: Update_dconf
ansible.builtin.lineinfile:
line: banner-message-enable
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
mode: '0644'
modification_time: preserve
state: touch
state: present
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required."
when:
Expand All @@ -71,10 +72,11 @@
community.general.ini_file:
create: true
mode: '0644'
options: automount-open
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
option: automount-open
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/media-handling'
value: 'false'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271025 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function."
when:
Expand All @@ -97,7 +99,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/media-handling/automount-open
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required."
when:
Expand All @@ -115,9 +118,10 @@
community.general.ini_file:
create: true
option: autorun-never
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/media-handling'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271035 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function."
when:
Expand All @@ -140,7 +144,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/media-handling/autorun-never
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed."
when:
Expand All @@ -160,9 +165,10 @@
community.general.ini_file:
create: true
option: removal-action
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/peripherals/smartcard'
value: 'lock-screen'
value: "'lock-screen'"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action."
when:
Expand All @@ -182,7 +188,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."
when:
Expand All @@ -202,9 +209,10 @@
community.general.ini_file:
create: true
option: lock-enabled
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/screensaver'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271060 | PATCH | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."
when:
Expand All @@ -224,7 +232,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/lock-enabled
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity."
when:
Expand All @@ -244,9 +253,10 @@
community.general.ini_file:
create: true
option: idle-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver"
path: "/etc/dconf/db/{{ item }}.d/00-screensaver"
section: 'org/gnome/desktop/session'
value: 'uint32 900'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271070 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface"
when:
Expand All @@ -266,7 +276,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/session/idle-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated."
when:
Expand All @@ -284,9 +295,10 @@
community.general.ini_file:
create: true
option: lock-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver"
path: "/etc/dconf/db/{{ item }}.d/00-screensaver"
section: 'org/gnome/desktop/screensaver'
value: 'uint32 5'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271080 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface"
when:
Expand All @@ -304,7 +316,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/lock-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image."
when:
Expand All @@ -324,15 +337,17 @@
community.general.ini_file:
create: true
option: picture-uri
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/screensaver'
value: ''
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image."
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/picture-uri
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles."
when:
Expand Down Expand Up @@ -365,9 +380,10 @@
community.general.ini_file:
create: true
option: disable-restart-buttons
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/peripherals/smartcard'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface."
when:
Expand All @@ -385,7 +401,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/login-screen/disable-restart-buttons
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot."
when:
Expand All @@ -403,9 +420,10 @@
community.general.ini_file:
create: true
option: logout
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/plugins/media-keys'
value: "['']"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271110 | PATCH | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface."
when:
Expand All @@ -423,7 +441,8 @@
ansible.builtin.lineinfile:
create: true
line: org/gnome/settings-daemon/plugins/media-keys/logout
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces."
when:
Expand All @@ -441,6 +460,7 @@
community.general.ini_file:
create: true
option: disable-user-list
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/02-login-screen"
path: "/etc/dconf/db/{{ item }}.d/02-login-screen"
section: 'org/gnome/login-screen'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

0 comments on commit 00b5c09

Please sign in to comment.