Merge "Set graphical session locks"

2016-11-17 03:02:03 +00:00 · 2016-11-17 03:02:03 +00:00 · 9723173119
commit 9723173119
parent 598cf8218c 5fbc456807
7 changed files with 127 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -436,6 +436,16 @@ security_reset_perm_ownership: yes                           # RHEL-07-010010
 security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
 # Disable timed gdm logins for guests
 security_disable_gdm_timed_login: yes                        # RHEL-07-010431
+# Enable session locking for graphical logins.
+security_lock_session: no                                    # RHEL-07-010060
+# Set a timer (in seconds) when an inactive session is locked.
+security_lock_session_inactive_delay: 900                    # RHEL-07-010070
+# Prevent users from modifying session lock settings.
+security_lock_session_override_user: yes                     # RHEL-07-010071
+# Lock a session (start screensaver) when a session is inactive.
+security_lock_session_when_inactive: yes                     # RHEL-07-010073
+# Time after screensaver starts when user login is required.
+security_lock_session_screensaver_lock_delay: 5              # RHEL-07-010074

 ## Miscellaneous (misc)
 # Enable virus scanning with clamav
--- a/files/dconf-user-profile
+++ b/files/dconf-user-profile
@ -0,0 +1,2 @@
+user-db:user
+system-db:local
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -83,3 +83,6 @@
  file:
    path: "{{ grub_conf_file }}"
    mode: 0644
+
+- name: dconf update
+  command: dconf update
--- a/tasks/rhel7stig/graphical.yml
+++ b/tasks/rhel7stig/graphical.yml
@ -44,3 +44,77 @@
    - graphical
    - high
    - RHEL-07-010431
+
+- name: Check for dconf profiles
+  stat:
+    path: /etc/dconf/profile
+  register: dconf_check
+  tags:
+    - always
+
+- name: Create a user profile in dconf
+  copy:
+    src: dconf-user-profile
+    dest: /etc/dconf/profile/user
+  when:
+    - dconf_check.stat.exists
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010060
+    - RHEL-07-010070
+    - RHEL-07-010071
+    - RHEL-07-010073
+    - RHEL-07-010074
+
+- name: Create dconf directories
+  file:
+    path: /etc/dconf/db/local.d/
+    state: directory
+  with_items:
+    - /etc/dconf/db/local.d/
+    - /etc/dconf/db/local.d/locks
+  when:
+    - dconf_check.stat.exists
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010060
+    - RHEL-07-010070
+    - RHEL-07-010071
+    - RHEL-07-010073
+    - RHEL-07-010074
+
+- name: Configure graphical session locking
+  template:
+    src: dconf-screensaver-lock.j2
+    dest: /etc/dconf/db/local.d/00-screensaver
+  when:
+    - dconf_check.stat.exists
+  notify:
+    - dconf update
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010060
+    - RHEL-07-010070
+    - RHEL-07-010071
+    - RHEL-07-010073
+    - RHEL-07-010074
+
+- name: Prevent users from changing graphical session locking configurations
+  template:
+    src: dconf-session-user-config-lockout.j2
+    dest: /etc/dconf/db/local.d/locks/session
+  when:
+    - dconf_check.stat.exists
+  notify:
+    - dconf update
+  tags:
+    - graphical
+    - medium
+    - RHEL-07-010060
+    - RHEL-07-010070
+    - RHEL-07-010071
+    - RHEL-07-010073
+    - RHEL-07-010074
--- a/templates/dconf-screensaver-lock.j2
+++ b/templates/dconf-screensaver-lock.j2
@ -0,0 +1,24 @@
+{% if security_lock_session | bool %}
+[org/gnome/desktop/session]
+# RHEL-07-010070 - The operating system must initiate a screensaver after a
+#                  15-minute period of inactivity for graphical user
+#                  interfaces.
+idle-delay={{ security_lock_session_inactive_delay }}
+
+[org/gnome/desktop/screensaver]
+# RHEL-07-010060 - The operating system must enable a user session lock until
+#                  that user re-establishes access using established
+#                  identification and authentication procedures.
+lock-enabled=true
+
+# RHEL-07-010074 - The operating system must initiate a session lock for
+#                  graphical user interfaces when the screensaver is activated.
+lock-delay={{ security_lock_session_screensaver_lock_delay }}
+
+{% if security_lock_session_when_inactive | bool %}
+# RHEL-07-010073 - The operating system must initiate a session lock for the
+#                  screensaver after a period of inactivity for graphical user
+#                  interfaces.
+idle-activation-enabled=true
+{% endif %}
+{% endif %}
--- a/templates/dconf-session-user-config-lockout.j2
+++ b/templates/dconf-session-user-config-lockout.j2
@ -0,0 +1,8 @@
+{% if security_lock_session | bool and security_lock_session_override_user | bool %}
+/org/gnome/desktop/session/idle-delay
+/org/gnome/desktop/screensaver/lock-enabled
+/org/gnome/desktop/screensaver/lock-delay
+{% if security_lock_session_when_inactive | bool %}
+/org/gnome/desktop/screensaver/idle-activation-enabled
+{% endif %}
+{% endif %}
--- a/tests/test.yml
+++ b/tests/test.yml
@ -27,6 +27,12 @@
        state: touch
      when: ansible_os_family == 'RedHat'
      changed_when: False
+    - name: Install dconf package to test graphical session locks
+      package:
+        name: dconf
+        state: installed
+      when: ansible_os_family == 'RedHat'
+      changed_when: False
  post_tasks:
    - name: Stat 20auto-upgrades file
      stat: