On Monday, February 24, 2014 06:41:08 PM Steve Grubb wrote: > On Monday, February 24, 2014 06:07:22 PM Maura Dailey wrote: > > The GConf settings we've been using for login banners and disabling user > > lists have been replaced by Gnome 3's dconf parameters in RHEL 7 (and > > Fedora, obviously). dconf allows users and admins to set certain > > parameters with plain text key files. It also allows admins to bypass > > key files and set parameters with a GVariant binary blob file. There are > > some problems for us with both methods. I'll use the login banner text > > settings as an example. > > > > The recommended method in the RHEL 7 administration guide is to create a > > text file in /etc/dconf/db/gdm.d/ that looks something like the following: > > > > [org/gnome/login-screen] > > banner-message-enable=true > > banner-message-text='Consent banner text' > > > > After creating this file, the user must type dconf update, and the > > settings are applied, making this a two step process. However, there is > > a second way to apply the same settings, using the gsettings tool, which > > will write the data as a binary data blob into the home directory of > > whatever user runs the tool: > > > > sudo -u gdm dbus-launch gsettings set org.gnome.login-screen > > banner-message-enable true > > > > This achieves the same effect and the consent banner will be displayed > > to users in exactly the same way. This method is harder to test, since > > there is no parseable text file for OVAL to evaluate, but it is > > extremely easy to apply on the command line. > > > > > > TLDR: Are we allowed to mandate that system administrators must use the > > Red Hat guide's method of using plain text key files? > > Yes. That is the best way. I was involved with a bz a while back to work out > the method and that is what they came up with: > > https://bugzilla.redhat.com/show_bug.cgi?id=817594
I was told that this bz cannot be accessed. That bz is linked to gnome's public bz which is found here: https://bugzilla.gnome.org/show_bug.cgi?id=703972 It actually has better discussion than the one I was referencing. -Steve > I would be concerned if a setting in the local directory could be used to > suppress the login banner. But doing the central configuration is the best > thing to do. > > Also, in terms of meeting other NIST controls during login, be aware of this > bz, too (comment 8 details the enhanced control that can be met): > > https://bugzilla.redhat.com/show_bug.cgi?id=915371 > > -Steve > > > On a related note, the login banner text only displays AFTER users have > > put in their user name, and there appears to be no way to edit the > > consent banner's appearance without altering the GDM theme. Instead, > > it's scrunched into a tiny window, with tiny grey text on a grey > > background, with a scroll bar. Is it too late to put this on my RHEL 7 > > final release wish list or can someone point me to the correct settings? > > > > - Maura Dailey > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
