Merge "Set graphical session locks"

2016-11-17 03:02:03 +00:00 · 2016-11-17 03:02:03 +00:00 · 9723173119
commit 9723173119
parent 598cf8218c 5fbc456807
7 changed files with 127 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -436,6 +436,16 @@ security_reset_perm_ownership: yes                           # RHEL-07-010010
 security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
 # Disable timed gdm logins for guests
 security_disable_gdm_timed_login: yes                        # RHEL-07-010431
 # Enable session locking for graphical logins.
 security_lock_session: no                                    # RHEL-07-010060
 # Set a timer (in seconds) when an inactive session is locked.
 security_lock_session_inactive_delay: 900                    # RHEL-07-010070
 # Prevent users from modifying session lock settings.
 security_lock_session_override_user: yes                     # RHEL-07-010071
 # Lock a session (start screensaver) when a session is inactive.
 security_lock_session_when_inactive: yes                     # RHEL-07-010073
 # Time after screensaver starts when user login is required.
 security_lock_session_screensaver_lock_delay: 5              # RHEL-07-010074
 ## Miscellaneous (misc)
 # Enable virus scanning with clamav
--- a/files/dconf-user-profile
+++ b/files/dconf-user-profile
@ -0,0 +1,2 @@
 user-db:user
 system-db:local
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -83,3 +83,6 @@
  file:
    path: "{{ grub_conf_file }}"
    mode: 0644
 - name: dconf update
  command: dconf update
--- a/tasks/rhel7stig/graphical.yml
+++ b/tasks/rhel7stig/graphical.yml
@ -44,3 +44,77 @@
    - graphical
    - high
    - RHEL-07-010431
 - name: Check for dconf profiles
  stat:
    path: /etc/dconf/profile
  register: dconf_check
  tags:
    - always
 - name: Create a user profile in dconf
  copy:
    src: dconf-user-profile
    dest: /etc/dconf/profile/user
  when:
    - dconf_check.stat.exists
  tags:
    - graphical
    - medium
    - RHEL-07-010060
    - RHEL-07-010070
    - RHEL-07-010071
    - RHEL-07-010073
    - RHEL-07-010074
 - name: Create dconf directories
  file:
    path: /etc/dconf/db/local.d/
    state: directory
  with_items:
    - /etc/dconf/db/local.d/
    - /etc/dconf/db/local.d/locks
  when:
    - dconf_check.stat.exists
  tags:
    - graphical
    - medium
    - RHEL-07-010060
    - RHEL-07-010070
    - RHEL-07-010071
    - RHEL-07-010073
    - RHEL-07-010074
 - name: Configure graphical session locking
  template:
    src: dconf-screensaver-lock.j2
    dest: /etc/dconf/db/local.d/00-screensaver
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - RHEL-07-010060
    - RHEL-07-010070
    - RHEL-07-010071
    - RHEL-07-010073
    - RHEL-07-010074
 - name: Prevent users from changing graphical session locking configurations
  template:
    src: dconf-session-user-config-lockout.j2
    dest: /etc/dconf/db/local.d/locks/session
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - RHEL-07-010060
    - RHEL-07-010070
    - RHEL-07-010071
    - RHEL-07-010073
    - RHEL-07-010074
--- a/templates/dconf-screensaver-lock.j2
+++ b/templates/dconf-screensaver-lock.j2
@ -0,0 +1,24 @@
 {% if security_lock_session | bool %}
 [org/gnome/desktop/session]
 # RHEL-07-010070 - The operating system must initiate a screensaver after a
 #                  15-minute period of inactivity for graphical user
 #                  interfaces.
 idle-delay={{ security_lock_session_inactive_delay }}
 [org/gnome/desktop/screensaver]
 # RHEL-07-010060 - The operating system must enable a user session lock until
 #                  that user re-establishes access using established
 #                  identification and authentication procedures.
 lock-enabled=true
 # RHEL-07-010074 - The operating system must initiate a session lock for
 #                  graphical user interfaces when the screensaver is activated.
 lock-delay={{ security_lock_session_screensaver_lock_delay }}
 {% if security_lock_session_when_inactive | bool %}
 # RHEL-07-010073 - The operating system must initiate a session lock for the
 #                  screensaver after a period of inactivity for graphical user
 #                  interfaces.
 idle-activation-enabled=true
 {% endif %}
 {% endif %}
--- a/templates/dconf-session-user-config-lockout.j2
+++ b/templates/dconf-session-user-config-lockout.j2
@ -0,0 +1,8 @@
 {% if security_lock_session | bool and security_lock_session_override_user | bool %}
 /org/gnome/desktop/session/idle-delay
 /org/gnome/desktop/screensaver/lock-enabled
 /org/gnome/desktop/screensaver/lock-delay
 {% if security_lock_session_when_inactive | bool %}
 /org/gnome/desktop/screensaver/idle-activation-enabled
 {% endif %}
 {% endif %}
--- a/tests/test.yml
+++ b/tests/test.yml
@ -27,6 +27,12 @@
        state: touch
      when: ansible_os_family == 'RedHat'
      changed_when: False
    - name: Install dconf package to test graphical session locks
      package:
        name: dconf
        state: installed
      when: ansible_os_family == 'RedHat'
      changed_when: False
  post_tasks:
    - name: Stat 20auto-upgrades file
      stat: