From de88c96f24de1f28b15b594fd22ce7b89329fc83 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 20 Jan 2023 10:29:50 +0000
Subject: [PATCH] section 1.8 alignment v1.0.0

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml                             |   4 +
 tasks/section_1/cis_1.8.x.yml                 | 162 +++++++++++++++---
 templates/ansible_vars_goss.yml.j2            |   5 +
 templates/etc/dconf/db/00-automount_lock.j2   |   9 +
 templates/etc/dconf/db/00-autorun_lock.j2     |   6 +
 templates/etc/dconf/db/00-media-automount.j2  |   7 +
 templates/etc/dconf/db/00-media-autorun.j2    |   6 +
 templates/etc/dconf/db/00-screensaver.j2      |  17 ++
 templates/etc/dconf/db/00-screensaver_lock.j2 |   9 +
 9 files changed, 198 insertions(+), 27 deletions(-)
 create mode 100644 templates/etc/dconf/db/00-automount_lock.j2
 create mode 100644 templates/etc/dconf/db/00-autorun_lock.j2
 create mode 100644 templates/etc/dconf/db/00-media-automount.j2
 create mode 100644 templates/etc/dconf/db/00-media-autorun.j2
 create mode 100644 templates/etc/dconf/db/00-screensaver.j2
 create mode 100644 templates/etc/dconf/db/00-screensaver_lock.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index b488183..ab0c146 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -370,6 +370,10 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4
 rhel9cis_bootloader_password: random
 rhel9cis_set_boot_pass: true
 
+# 1.8 Gnome Desktop
+rhel9cis_dconf_db_name: local
+rhel9cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
+rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)
 
 # 1.10 Set crypto policy DEFAULT
 # Control 1.10 states not to use LEGACY
diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml
index 97a5031..45124ec 100644
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@@ -70,14 +70,35 @@
       - rule_1.8.3
 
 - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle"
-  ansible.builtin.copy:
-      dest: /etc/dconf/db/local.d/00-screensaver
-      content: |
-          [org/gnome/desktop/session]
-          idle-delay=uint32 300
-          [org/gnome/desktop/screensaver]
-          lock-delay=uint32 5
-      mode: '0644'
+  block:
+      - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | User profile"
+        ansible.builtin.lineinfile:
+            path: /etc/dconf/profile/user
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+            create: true
+            user: root
+            group: root
+            mode: 0644
+        loop:
+            - { regexp: '^user-db', line: 'user-db: user' }
+            - { regexp: '^system-db', line: 'system-db: local' }
+
+      - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make db directory"
+        ansible.builtin.file:
+            path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
+            owner: root
+            group: root
+            mode: 0755
+            state: directory
+
+      - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | screensaver"
+        ansible.builtin.template:
+            src: etc/dconf/db/00-screensaver.j2
+            dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver"
+            owner: root
+            group: root
+            mode: '0644'
   notify: Reload dconf
   when:
       - rhel9cis_rule_1_8_4
@@ -90,13 +111,23 @@
       - rule_1.8.4
 
 - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden"
-  ansible.builtin.lineinfile:
-      path: /etc/dconf/db/local.d/locks/session
-      create: true
-      line: /org/gnome/desktop/screensaver/lock-delay
-      owner: root
-      group: root
-      mode: 0640
+  block:
+      - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory"
+        ansible.builtin.file:
+          path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
+          owner: root
+          group: root
+          mode: 0755
+          state: directory
+
+      - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile"
+        ansible.builtin.template:
+          src: etc/dconf/db/00-screensaver_lock.j2
+          dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver"
+          owner: root
+          group: root
+          mode: 0644
+  notify: Reload dconf
   when:
       - rhel9cis_rule_1_8_5
       - rhel9cis_gui
@@ -105,22 +136,16 @@
       - level1-workstation
       - patch
       - gui
-      - rule_1.8.3
+      - rule_1.8.5
 
-- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled"
-  ansible.builtin.lineinfile:
-      path: /etc/dconf/db/local.d/00-media-automount
-      regexp: "{{ item.regex }}"
-      line: "{{ item.line }}"
-      create: true
+- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
+  ansible.builtin.template:
+      src: etc/dconf/db/00-media-automount.j2
+      dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount"
       owner: root
       group: root
-      mode: 0644
+      mode: '0644'
   notify: Reload dconf
-  with_items:
-      - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
-      - { regex: 'automount=', line: 'automount=false' }
-      - { regex: 'automount-open=', line: 'automount-open=false'}
   when:
       - rhel9cis_rule_1_8_6
       - rhel9cis_gui
@@ -131,6 +156,89 @@
       - gui
       - rule_1.8.6
 
+- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
+  block:
+      - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock directory"
+        ansible.builtin.file:
+            path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
+            owner: root
+            group: root
+            mode: 0755
+            state: directory
+
+      - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
+        ansible.builtin.template:
+            src: etc/dconf/db/00-automount_lock.j2
+            dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
+            owner: root
+            group: root
+            mode: 0644
+        notify: Reload dconf
+  when:
+      - rhel9cis_rule_1_8_7
+      - rhel9cis_gui
+  tags:
+      - level1-server
+      - level2-workstation
+      - patch
+      - gui
+      - rule_1.8.7
+
+- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled"
+  block:
+      - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make directory"
+        ansible.builtin.file:
+            path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
+            owner: root
+            group: root
+            mode: 0755
+            state: directory
+
+      - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
+        ansible.builtin.template:
+            src: etc/dconf/db/00-media-autorun.j2
+            dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun"
+            owner: root
+            group: root
+            mode: '0644'
+        notify: Reload dconf
+  when:
+      - rhel9cis_rule_1_8_8
+      - rhel9cis_gui
+  tags:
+      - level1-server
+      - level2-workstation
+      - patch
+      - gui
+      - rule_1.8.8
+
+- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden"
+  block:
+      - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory"
+        ansible.builtin.file:
+          path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
+          owner: root
+          group: root
+          mode: 0755
+          state: directory
+
+      - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
+        ansible.builtin.template:
+          src: etc/dconf/db/00-autorun_lock.j2
+          dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
+          owner: root
+          group: root
+          mode: 0644
+        notify: Reload dconf
+  when:
+      - rhel9cis_rule_1_8_9
+      - rhel9cis_gui
+  tags:
+      - level1-server
+      - level2-workstation
+      - patch
+      - gui
+      - rule_1.8.9
 
 - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled"
   ansible.builtin.lineinfile:
diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
index be7bb00..e7fe3b8 100644
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@@ -387,6 +387,11 @@ rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
 # aide setup via - cron, timer
 rhel9_aide_scan: cron
 
+# 1.8 Gnome Desktop
+rhel9cis_dconf_db_name: {{ rhel9cis_dconf_db_name }}
+rhel9cis_screensaver_idle_delay: {{ rhel9cis_screensaver_idle_delay }}  # Set max value for idle-delay in seconds (between 1 and 900)
+rhel9cis_screensaver_lock_delay: {{ rhel9cis_screensaver_lock_delay }}  # Set max value for lock-delay in seconds (between 0 and 5)
+
 # Section 2
 ## 2.2 Special Purposes
 # Set to 'true' if X Windows is needed in your environment
diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2
new file mode 100644
index 0000000..3534474
--- /dev/null
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@@ -0,0 +1,9 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+# Lock desktop media-handling automount setting
+/org/gnome/desktop/media-handling/automount
+
+# Lock desktop media-handling automount-open
+/org/gnome/desktop/media-handling/automount-open
diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2
new file mode 100644
index 0000000..04e23a5
--- /dev/null
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@@ -0,0 +1,6 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+# Lock desktop media-handling settings 
+/org/gnome/desktop/media-handling/autorun-never
diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2
new file mode 100644
index 0000000..227498e
--- /dev/null
+++ b/templates/etc/dconf/db/00-media-automount.j2
@@ -0,0 +1,7 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2
new file mode 100644
index 0000000..a8c297f
--- /dev/null
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@@ -0,0 +1,6 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+[org/gnome/desktop/media-handling]
+autorun-never=true
diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2
new file mode 100644
index 0000000..139c429
--- /dev/null
+++ b/templates/etc/dconf/db/00-screensaver.j2
@@ -0,0 +1,17 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+
+# Specify the dconf path
+[org/gnome/desktop/session]
+
+# Number of seconds of inactivity before the screen goes blank
+# Set to 0 seconds if you want to deactivate the screensaver.
+idle-delay=uint32 {{ ubtu22cis_screensaver_idle_delay }}
+
+# Specify the dconf path
+[org/gnome/desktop/screensaver]
+
+# Number of seconds after the screen is blank before locking the screen
+lock-delay=uint32 {{ ubtu22cis_screensaver_lock_delay }}
diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2
new file mode 100644
index 0000000..5d5869f
--- /dev/null
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@@ -0,0 +1,9 @@
+## Ansible controlled file
+# Added as part of CIS
+# provided by MindPointGroup LLC
+
+# Lock desktop screensaver idle-delay setting
+/org/gnome/desktop/session/idle-delay
+
+# Lock desktop screensaver lock-delay setting
+/org/gnome/desktop/screensaver/lock-delay