Sean, This is what I've Identified so far with GNOME 3 lockdowns in RHEL 7 - please feel free to contribute more or provide feedback:
https://github.com/RedHatGov/ssg-el7-kickstart/blob/master/config/hardening/ssg-supplemental.sh (Starting with Line 588) #!/bin/bash ######################################## # GNOME 3 Lockdowns ######################################## if [ -x /bin/gsettings ]; then cat << EOF > /etc/dconf/db/gdm.d/99-gnome-hardening [org/gnome/login-screen] banner-message-enable=true banner-message-text="${BANNER_MESSAGE_TEXT}" disable-user-list=true disable-restart-buttons=true [org/gnome/desktop/lockdown] user-administration-disabled=true disable-user-switching=true [org/gnome/desktop/media-handling] automount=false automount-open=false autorun-never=true [org/gnome/desktop/notifications] show-in-lock-screen=false [org/gnome/desktop/privacy] remove-old-temp-files=true remove-old-trash-files=true old-files-age=7 [org/gnome/desktop/interface] clock-format="12h" [org/gnome/desktop/screensaver] user-switch-enabled=false [org/gnome/desktop/session] idle-delay=900 [org/gnome/desktop/thumbnailers] disable-all=true [org/gnome/nm-applet] disable-wifi-create=true EOF cat << EOF > /etc/dconf/db/gdm.d/locks/99-gnome-hardening /org/gnome/login-screen/banner-message-enable /org/gnome/login-screen/banner-message-text /org/gnome/login-screen/disable-user-list /org/gnome/login-screen/disable-restart-buttons /org/gnome/desktop/lockdown/user-administration-disabled /org/gnome/desktop/lockdown/disable-user-switching /org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount-open /org/gnome/desktop/media-handling/autorun-never /org/gnome/desktop/notifications/show-in-lock-screen /org/gnome/desktop/privacy/remove-old-temp-files /org/gnome/desktop/privacy/remove-old-trash-files /org/gnome/desktop/privacy/old-files-age /org/gnome/desktop/screensaver/user-switch-enabled /org/gnome/desktop/session/idle-delay /org/gnome/desktop/thumbnailers/disable-all /org/gnome/nm-applet/disable-wifi-create EOF cat << EOF > /usr/share/glib-2.0/schemas/99-custom-settings.gschema.override [org.gnome.login-screen] banner-message-enable=true banner-message-text="${BANNER_MESSAGE_TEXT}" disable-user-list=true disable-restart-buttons=true [org.gnome.desktop.lockdown] user-administration-disabled=true disable-user-switching=true [org.gnome.desktop.media-handling] automount=false automount-open=false autorun-never=true [org.gnome.desktop.notifications] show-in-lock-screen=false [org.gnome.desktop.privacy] remove-old-temp-files=true remove-old-trash-files=true old-files-age=7 [org.gnome.desktop.interface] clock-format="12h" [org.gnome.desktop.screensaver] user-switch-enabled=false [org.gnome.desktop.session] idle-delay=900 [org.gnome.desktop.thumbnailers] disable-all=true [org.gnome.nm-applet] disable-wifi-create=true EOF cp /etc/dconf/db/gdm.d/locks/99-gnome-hardening /etc/dconf/db/local.d/locks/99-gnome-hardening /bin/glib-compile-schemas /usr/share/glib-2.0/schemas/ /bin/dconf update fi Regards, Frank Caviggia -- Frank Caviggia Senior Consultant, Red Hat [email protected] (M) (571) 295-4560 ----- Original Message ----- From: "Sean" <[email protected]> To: "SCAP Security Guide" <[email protected]> Sent: Friday, December 11, 2015 12:21:14 PM Subject: Question regarding EL7 gnome/dconf remediation strategy Hi all, I have been carefully watching the EL7 security guide remediation development over the past few months hoping to get a leg up on the first release of the EL7 DISA-STIG. I have really enjoyed the work all of the contributors are putting in, at times the remediations have driven me to look at solving other problems in more graceful ways! So thank you for all the collective knowledge being put into this project! So onto the question... I was looking at the gnome gui related items and how dconf has replaced gconftool-2. I have already used dconf db files to tweak gnome desktops and wonder if my testing strategy is faulty, or if there is a shortcoming in limiting your search of dconf files to the local.d directory, and perhaps not including the site.d directory as well. Let's take the screensaver idle-delay as an example. It seems that profiles typically follow this pattern: user->local->site. It's been my experience through some basic testing of the possibilities, that when a site level idle-delay and lock is in place, it overrides the local level idle-delay and lock configuration the remediation would assert. This would mean that the setting not comply with the SCAP test but still pass the test, right? Does the community see this as an issue? Or perhaps this is designed to allow for deviation from the standard? Thanks for your input, and again especially for all the effort put in! --Sean -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
