1.7.2 Ensure GDM login banner is configured
Audit#
Run the following commands to verify that the text banner on the login screen is enabled and set:
#gsettings get org.gnome.login-screen banner-message-enable
true
# gsettings get org.gnome.login-screen banner-message-text
'Authorized uses only. All activity may be monitored and reported'
Remediation#
- IF - A user profile is already created run the following commands to set and enable the text banner message on the login screen:
# gsettings set org.gnome.login-screen banner-message-text 'Authorized uses only. All activity may be monitored and reported'
# gsettings set org.gnome.login-screen banner-message-enable true
Note: - banner-message-text may be set in accordance with local site policy - gsettings commands in this section MUST be done from a command window on a graphical desktop or an error will be returned. - The system must be restarted after all gsettings configurations have been set in order for CIS-CAT Assessor to appropriately assess. - If the dconf database is not updating correctly due to umask requirements contain in the benchmark, then use (umask 0022 && gsetting set) commands from above to temporarily set umask ensuring that any files or directories created by gsettings will have the required permissions.
- OR/IF - A user profile does not exist: 1. Create or edit the gdm profile in the /etc/dconf/profile/gdm with the following lines:
Note: gdm is the name of a dconf database.-
Create a gdm keyfile for machine-wide settings in /etc/dconf/db/gdm.d/01-banner-message:
-
Update the system databases
Note: - Users must log out and back in again before the system-wide settings take effect.
- There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode.
- The banner message cannot be read from an external file
Default Value: disabled