Merge pull request #12622 from mpurg/ubuntu2404_cis_dconf

Fix dconf controls for Ubuntu 24.04 CIS

controls/cis_ubuntu2404.yml

@@ -546,54 +546,66 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - enable_dconf_user_profile
+    rules:
       - login_banner_text=cis_default
       - dconf_gnome_banner_enabled
       - dconf_gnome_login_banner_text
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/1.8.2.
+    status: automated
 
   - id: 1.7.3
     title: Ensure GDM disable-user-list option is enabled (Automated)
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - dconf_gnome_disable_user_list
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/1.8.3.
+    status: automated
 
   - id: 1.7.4
     title: Ensure GDM screen locks when the user is idle (Automated)
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
+      - inactivity_timeout_value=15_minutes
+      - var_screensaver_lock_delay=5_seconds
+      - dconf_gnome_screensaver_idle_delay
       - dconf_gnome_screensaver_lock_enabled
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/1.8.4.
+      - dconf_gnome_screensaver_lock_delay
+    status: automated
+    notes: |
+      The rules satisfy both controls 1.7.4 and 1.7.5.
+      Rule lock_enabled is not part of CIS recommendation but is
+      required to assure the lock is enabled and cannot be manually disabled.
+      See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123
 
   - id: 1.7.5
     title: Ensure GDM screen locks cannot be overridden (Automated)
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
+      - dconf_gnome_screensaver_idle_delay
+      - dconf_gnome_screensaver_lock_enabled
       - dconf_gnome_screensaver_lock_delay
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/1.8.5.
+    status: automated
+    notes: |
+      The rules satisfy both controls 1.7.4 and 1.7.5.
+      Rule lock_enabled is not part of CIS recommendation but is
+      required to assure the lock is enabled and cannot be manually disabled.
+      See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123
 
   - id: 1.7.6
     title: Ensure GDM automatic mounting of removable media is disabled (Automated)
     levels:
       - l1_server
       - l2_workstation
-    related_rules:
+    rules:
       - dconf_gnome_disable_automount
       - dconf_gnome_disable_automount_open
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/1.8.6.
+    status: automated
+    notes: |
+      The rules satisfy both controls 1.7.6 and 1.7.7
 
   - id: 1.7.7
     title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)
@@ -615,6 +627,8 @@ controls:
     rules:
       - dconf_gnome_disable_autorun
     status: automated
+    notes: |
+      The rule satisfies both controls 1.7.8 and 1.7.9
 
   - id: 1.7.9
     title: Ensure GDM autorun-never is not overridden (Automated)

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh

@@ -1,15 +1,15 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=default
+# variables = login_banner_text=Authorized users only. All activity may be monitored and reported.
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
 add_dconf_profiles
 
 echo > /etc/gdm3/greeter.dconf-defaults
 
-banner_default="Authorized uses only. All activity may be monitored and reported."
+banner_default="Authorized users only. All activity may be monitored and reported."
 add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'$banner_default'" "{{{ dconf_gdm_dir }}}" "00-security-settings"
 add_dconf_lock "org/gnome/login-screen" "banner-message-text" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock"
 

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh

@@ -1,15 +1,15 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 # packages = gdm3
-# variables = login_banner_text=default
+# variables = login_banner_text=Authorized users only. All activity may be monitored and reported.
 
 source $SHARED/dconf_test_functions.sh
 clean_dconf_settings
 add_dconf_profiles
 
 conffile="/etc/gdm3/greeter.dconf-defaults"
 
-banner_default="Authorized uses only. All activity may be monitored and reported."
+banner_default="Authorized users only. All activity may be monitored and reported."
 sed -i '/banner-message-enable=/d;/banner-message-text=/d' ${conffile}
 sed -i "/^\[org\/gnome\/login-screen\]/a""banner-message-text='$banner_default'" ${conffile}
 

shared/templates/extra_ovals.yml

@@ -6,6 +6,7 @@ package_avahi_installed:
     pkgname@ubuntu1804: avahi-daemon
     pkgname@ubuntu2004: avahi-daemon
     pkgname@ubuntu2204: avahi-daemon
+    pkgname@ubuntu2404: avahi-daemon
 
 package_esc_installed:
   name: package_installed
@@ -23,6 +24,7 @@ package_dconf_installed:
     pkgname: dconf
     pkgname@ubuntu2004: dconf-service
     pkgname@ubuntu2204: dconf-service
+    pkgname@ubuntu2404: dconf-service
 
 package_gdm_installed:
   name: package_installed
@@ -32,6 +34,7 @@ package_gdm_installed:
     pkgname@ubuntu1804: gdm3
     pkgname@ubuntu2004: gdm3
     pkgname@ubuntu2204: gdm3
+    pkgname@ubuntu2404: gdm3
 
 package_pam_ldap_removed:
   name: package_removed